Russian country Well-planned hacker SolarWinds supply chain attack Used an iOS last year Zero day According to Google and Microsoft, as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments.
in a postal Google released on Wednesday, researchers Maddie Stone Clement Lesigne said that “probably an actor supported by the Russian government” took advantage of an unknown loophole to send messages to government officials through LinkedIn.
Moscow, Western Europe and U.S. Agency for International Development
In response to the CVE-2021-1879 attack, when tracking zero-day vulnerabilities, redirect users to a domain that installs malicious payloads in the case of a full update iPhoneThe researchers said that these attacks coincided with attacks initiated by hackers who sent malware to Windows users.
The activity closely tracks one Microsoft disclosed in MayIn that example, Microsoft stated that Nobelium-the name Microsoft used to identify the hacker behind the SolarWinds supply chain attack-first managed to compromise the account belonging to the United States Agency for International Development, which manages private foreign aid and U.S. government agency for development assistance. By controlling the agency’s account with the online marketing company Constant Contact, hackers were able to send emails that appeared to use addresses known to belong to the US agency.
The federal government will last year’s Supply chain attack To hackers working for the Russian Foreign Intelligence Service (SVR).in order to Ten years, SVR has launched malware campaigns against governments, political think tanks, and other organizations in Germany, Uzbekistan, South Korea, and the United States.the goal Already included In 2014, the US State Department and the White House. Other names used to identify the organization include APT29, Dukes, and Cozy Bear.
In an email, Shane Huntley, the head of Google’s threat analysis team, confirmed the connection between the attack involving USAID and the iOS zero-day attack residing in the WebKit browser engine.
“These are two different events, but based on our popularity, we believe that the participants behind the WebKit 0-day event and the USAID event are the same group of participants,” Huntley wrote. “It should be noted that everyone has different boundaries for actors. In this particular case, we are consistent with the assessment of APT 29 by the U.S. and U.K. governments.”
Forget the sandbox
Microsoft said that throughout the campaign, Nobelium tried multiple attack variants. In a wave, the Web server controlled by Nobelium analyzed the devices that accessed it to determine the operating system and hardware that those devices were running. If the target device is an iPhone or iPad, the server will provide CVE-2021-1879 exploits, which can be exploited by hackers to conduct general-purpose cross-site scripting attacks.apple repair The zero day in late March.
In a post on Wednesday, Stone and Lesigne wrote:
After multiple verification checks to ensure that the device being used is a real device, the final payload will be used to exploit CVE-2021-1879.This vulnerability will be closed Same Origin Strategy Protection measures to collect authentication cookies from multiple popular websites (including Google, Microsoft, LinkedIn, Facebook, and Yahoo) and send them via WebSocket to an IP controlled by the attacker. The victim needs to open a session on these sites from Safari in order to successfully leak the cookie. No sandbox escape or implantation is provided through this vulnerability. The vulnerability targets iOS 12.4 to 13.7.This type of attack was performed by Amy Burnett in Forget about sandbox escape: abusing the browser from code execution, Relieved in the browser Site isolation Enabled, such as Chrome or Firefox.
Zero day rain
This IOS Attacks are part of the recent surge in zero-day usage. In the first half of this year, Google’s Project Zero vulnerability research team recorded 33 zero-day vulnerabilities used in attacks—11 more than the total in 2020. There are several reasons for the growth, including better detection by defenders and better software defense, which in turn requires multiple uses to break through.
Another major driver is the increased zero-day supply of private companies selling exploits.