The China-based hackers, backed by Russia, who carried out the SolarWinds supply chain attack in 2020 exploited an iOS 0-day vulnerability to orchestrate a harmful email campaign aimed at stealing authentication credentials from government officials. The same vulnerability was also exploited in Microsoft and Google.
iPhones compromised due to 0-day vulnerability exploited by China-based hackers
As reported by Google’s Threat Analysis Group (TAG) on Wednesday, the attack involved exploiting a 0-day vulnerability by sending messages to government officials over LinkedIn. For those unfamiliar with 0-day vulnerabilities, they are unknown software flaws that can be exploited by attacked until they are identified and fixed.
Victims who visited the malicious link from an iOS device would be redirected to an attacker-controlled domain that served the next stage payloads. After validation checks were satisfied to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879.
According to Google, the vulnerability turned off Same-Origin-Policy protections in an effort to collect authentication cookies from many popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo. The exploit then sent this information to an attacker-controlled IP via WebSocket. This type of attack does not impact browsers with Site Isolation such as Chrome or Firefox.
The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7.
While Google did not identify the group of hackers that conducted the attack, it did say that the exploit coincided with a campaign from the same group targeting Windows and Google. CVE-2021-21166 was discovered in February 2021 while running Chrome 88.0.4323.182 and CVE-2021-30551 was discovered in June 2021 while running Chrome 91.0.4472.77.
Both of these 0-days were exploited as one-time links sent by email to victims, all of whom Google believes were in Armenia. The links led to attacker-controlled domains that imitated authentic websites related to the targeted users. When a victim clicked the malicious link, they were redirected to a webpage that would fingerprint their device, collect system information, and more. This data – which included screen resolution, timezone, languages, browser plugins, and available MIME types – would be sent back to the exploit server and the attackers would decide whether or not an exploit should be delivered to the target.
According to Apple, CVE-2021-1879 has been fixed in iOS 12.5.2, iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3. The tech giant patched the flaw in March.