New iOS zero-days actively used against high-profile targets – Digitalmunition

Featured Apple_Target.jpg

Published on April 22nd, 2020 📆 | 7154 Views ⚑


New iOS zero-days actively used against high-profile targets

Two zero-day vulnerabilities affecting iPhone and iPad devices were found by cybersecurity startup ZecOps after the discovery of a series of ongoing remote attacks that have targeted iOS users since at least January 2018.

“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” ZecOps researchers said.

Successfully exploiting the security flaws — an Out-of-bounds Write (OOB Write) and a Remote Heap Overflow — enables the attackers to run remote code on the compromised iPhone and iPad devices allowing them to gain access to, leak, edit, and delete emails.

“Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability,” ZecOps further explained.

Nation-state hackers behind ongoing attacks

The researchers discovered the remote attacks following a routine iOS Digital Forensics and Incident Response (DFIR) investigation while they were targeting against iOS 11.2.2 users through the default Mail application.

While initial signs pointed at the attacks going as far as January 2018, it is possible that the zero-day was used in related attacks even earlier.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications,” ZecOps said.

ZecOps detected multiple highly-targeted attacks exploiting these iOS zero-days including:

• Individuals from a Fortune 500 organization in North America
• An executive from a carrier in Japan 
• A VIP from Germany
• MSSPs from Saudi Arabia and Israel
• A Journalist in Europe
• Suspected: An executive from a Swiss enterprise 

Although ZecOps didn’t want to attribute the attacks to a specific threat actor, the researchers said that they are aware of at least one organization “selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

All devices running iOS 6 and later are vulnerable

All iPhones and iPad iOS 6 or above — including the latest version iOS 13.4.1 — are vulnerable to attacks, although iOS devices running even older versions could also be exposed given that ZecOps stopped testing after iOS 6.

On iOS 13, exploiting the vulnerabilities requires no user interaction, while on iOS 12 users have to click on the email to have their iPhone or iPad hacked.

Attackers can also try to exploit the security issue multiple times with no apparent signs on iOS 13 besides a temporary slowdown, while on iOS 12 the Mail application will suddenly crash.

If the attacks fail, the targets will see no signs on iOS 13, while on iOS 12 emails with “This message has no content” messages will show up in the inbox.

Failed attacks
Failed attacks (ZecOps)

“If you cannot patch to this version, make sure to not use Mail application – and instead to temporarily use Outlook or Gmail which, at the time of this writing, were not found to be vulnerable,” ZecOps advises.

“With very limited data we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous. We are confident that a patch must be provided for such issues with public triggers ASAP.”

Apple has already included a patch for the zero-days in iOS 13.4.5 beta 2 released on April 15, with a security fix to be made available for users of stable iOS versions soon.

Source link

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *