Russian hackers have exploited a zero-day exploit in Apple’s iOS operating system to attack Western politicians. A vulnerability in Webkit in Safari allowed attackers to send a message with a phishing link via LinkedIn Messaging. Once on the page, authentication cookies from popular sites like Facebook and Google were stolen.
A zero-day exploit is a vulnerability in a software program or application that has existed since launch but is unknown to the developers. Hackers and cybercriminals exploit these vulnerabilities to gain undetected access, steal data, or install ransomware or other malicious malware. Zero-day exploits are therefore very dangerous. Major tech companies spend millions of dollars annually on ethical hackers to discover and report these vulnerabilities.
Google’s Threat Analysis Group (TAG) tracks zero days on a daily basis. In its latest blog, the group writes that they have recently found four zero-day exploits. This brings the counter for this year to 33. TAG discovered 22 zero-day vulnerabilities throughout 2020, an increase of 50 per cent compared to last.
Google is very concerned about this. It is increasingly common for hackers to discover and sell zero-day exploits to private parties. “Groups no longer need the technical expertise, now they just need resources,” Google said. According to the tech giant, three of the four exploits discovered were developed by commercial parties and sold to state hackers.
The exploit in question disabled the Same-Origin-Policy protection. This is a security measure that should prevent certain data from being exchanged between websites. By evading the Same-Origin Policy, hackers managed to collect authentication tokens for accounts from popular sites such as Google, Facebook, Microsoft, Yahoo and LinkedIn within Safari. These tokens were sent via a WebSocket to an IP address of the hacker. At the time of the attack, the victim had to surf the Internet using Apple’s web browser to work.
TAG describes how this zero-day exploit was actively abused by Russian state hackers. They used the leak to send phishing links to Western European politicians via LinkedIn Messaging. If they clicked on this URL from an iPhone or iPad, this link redirected them to a rogue website. That’s where the authentication tokens were taken.
Google won’t say who abused the zero-day exploit, but it’s calling it “hackers backed by Russia.” The vulnerability was discovered on March 19 by TAG and worked on iPhones and iPads running iOS versions 12.4 through 13.7. A week later, Apple rolled out a security update that closed the leak.
Catch up on more articles here
Follow us on Twitter here