Russian SolarWinds Hackers Used iOS Zero-Day to Steal Login Details

BY Smidh

Published 15 Jul 2021

iOS 14.5 on iPhone 12

Apple has always been quick to patch all zero-day vulnerabilities in iOS to keep the platform safe and secure. However, Russian state hackers behind the SolarWinds hack managed to use an iOS zero-day exploit last year to run a malicious LinkedIn email campaign in a bid to steal the login credentials of Western European governments.

In a blog post, Google’s Threat Analysis Group details that Russian hackers used a zero-day exploit in Safari in iOS 14 for this.

If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads.

After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-​2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit.

Apple eventually fixed the 0-day exploit in iOS 14.4.2. This is another perfect example of why you should always update your iPhone to the latest iOS release, as it can contain several security fixes. This incident also shows that while Apple has upped its game with iOS security, the platform is still vulnerable to 0-day exploits that hackers can use for malicious attacks.

Google’s TAG itself notes that there has been a “huge uptick of in-the-wild 0-day” attacks. In 2021, 33 0-day exploits have been used and publicly reported so far, up from 22 exploits for the same timeframe in 2020.

[Via Google TAG]