According to Google and Microsoft, the Russian hackers responsible for SolarWinds supply chain attack, which took place last year, took advantage of an iOS zero-day vulnerability as part of a separate malicious email campaign. The goal was theft of credentials by Western European governments.
In one Publication Google, the researchers Maddie Stone and Clement Lecigne stated that “attackers most likely backed by the Russian government"Took advantage of the then unknown vulnerability, sending messages to government officials via LinkedIn.
The attacks used zero-day vulnerability CVE-2021-1879, to redirect users to domains they have installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users.
In May, the Microsoft had talked about the same campaign. Microsoft had said that the Russian hackers Nobel (the name the company uses to describe the hackers behind the SolarWinds attack), first managed to breach an account owned by USAID, a US government agency. Having in their control the service account for the online marketing company constant Contact, the attackers could send emails to addresses known to belong to the US service.
The federal government has attributed the SolarWinds supply chain attack to hackers working for Russia's Foreign Intelligence Service (SVR). For more than a decade, SVR launches malware campaigns targeting governments, political think tanks and other organizations in countries such as Germany, Uzbekistan, South Korea and the USA. Objectives include US State Department and the White House. Other names used for this hacking group, such as APT29, Dukes and Cozy Bear.
In an email, the Shane Huntley, head of Google's Threat Analysis Team, confirmed the link between the USAID attacks and iOS zero-day.
"These are two different campaigns, but we believe that the hackers behind iOS zero-day error and USAID breach are the same", Wrote Huntley.
Throughout the campaign, Microsoft said Nobelium experimented with multiple attack variants. If the target device was iPhone ή iPad, a server was using one exploit for iOS zero-day CVE-2021-1879, which allowed hackers to carry out a cross-site scripting attack. Apple fixed the iOS zero-day error in late March.
In Wednesday's post, Google researchers wrote:
"The final payload takes advantage of CVE-2021-1879. This exploit disables Same-Origin-Policy protections in order to collect authentication cookies from various popular sites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an intruder-controlled IP ”.
The exploit targeted iOS 12.4 to 13.7.
Source: Ars Technica