A newly uncovered zero-day exploit impacting older versions of iOS was leveraged by Russia-backed hackers in a campaign that targeted officials of Western European governments.
Outlined by Google’s Threat Analysis team in a report on Wednesday, the attack involved messages sent to government officials over LinkedIn.
Victims who visited a provided link on their iOS device would be redirected to a domain that served up an initial malicious payload that subsequently examined device authenticity. After multiple validation checks were satisfied, a final payload containing the CVE-2021-1879 exploit was downloaded and used to bypass certain security protections.
According to Google, the zero-day turned off Same-Origin-Policy safeguards, or protections that prevent malicious scripts from collecting data on the web. By disabling the defense, hackers were able to gather website authentication information from Google, Microsoft, LinkedIn, Facebook, Yahoo and others before sending it on to an attacker-controlled IP, the report said.
“The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit,” writes Maddie Stone and Clement Lecigne. “The exploit targeted iOS versions 12.4 through 13.7.”
Browsers that support Site Isolation features, like Chrome or Firefox, are not impacted by Same-Origin-Policy attacks.
While Google fails to name the hacking group that conducted the attack, it does say that the operation coincided with a campaign from the same bad actor targeting Windows computers. ArsTechnica, which reported on Google’s findings today, identifies the actors as Nobelium, the same team behind 2019’s SolarWinds hack. Nobelium also used an attack vector involving CVE-2021-1879 in a hack related to the United States Agency for International Development.
Apple patched the flaw in March.
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, “Hey, Siri,” to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.
If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple’s Podcasts app, or via Patreon if you prefer any other podcast player.