Last year, a group of Russian intelligence official executed a successful cyberattack on SolarWinds, a giant information technology firm in the United States. After compromising the company software, the Russians’ attack further spread to the SolarWinds customers, spying and wreaking havoc undetected for months before the breach was discovered.
Many “ultra-secure” iOS 14 Apple devices have been compromised
According to information from both Google and Microsoft, these same culprits managed to get their hands on an iOS 14 zero-day, which they exploited for the purpose of carrying out an e-mail campaign seeking to steal Western European government credentials for web authentication.
A zero-day, as spy-movie sounding as it is, is simply a software vulnerability which has only just become known, resulting in its developer or owner having “zero days” to fix it upon learning of it. A zero-day attack is when a malicious party exploits that vulnerability before the developer has a chance to patch it.
The zero-day vulnerability in this case (code-named CVE-2021-1879) lay in the Webkit browser engine that is used by Safari along with Mail on iOS and the App Store (among others). What the Russian hacker group—known as Nobelium—did was send LinkedIn messages to US government official, which contained links that installed malicious payloads on their victims’ devices.
After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with Site Isolation enabled, such as Chrome or Firefox. —Stone and Lecigne
Apart from hacking iPhones and Solar Winds last year, Nobelium has also been discovered interfering with the 2020 Presidential Election in the United States, as well as penetrating and launching an attack against USAID (United States Agency for International Development) in recent months.