A group of hackers have been using compromised websites to launch watering hole attacks against iPhone users who visit the websites. The attacks also use five different exploit chains and exploit 0-day vulnerabilities that don’t require any user interaction.
Earlier this year, Google’s Threat Analysis Group (TAG) found a small collection of hacked websites. TAG soon noticed the compromised sites delivered exploits to users of iPhones running iOS 10 through the latest version of iOS 12.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” said Ian Beer of Project Zero in a blog post.
Exploit chains and vulnerabilities
TAG collected five separate iPhone privilege escalation exploit chains as part of the analysis. The group also provided details on the root causes of fourteen (14) vulnerabilities across the five exploit chains.
Of the fourteen vulnerabilities, seven impact the iPhone’s web browser, five affect the kernel and two for sandbox escapes. At least one of the privilege escalation chains included two 0-day unpatched vulnerabilities (CVE-2019-7287 & CVE-2019-7286) at the time of discovery. Apple soon fixed the issue as part of an out-of-band release of iOS 12.1.4 in early February of this year.
Ian Beer also provided detailed write-ups and root causes on each the five exploit chains. In addition, the research suggests poor development practices, such as code that may have never worked or simply skipped the QA and testing process.
Stealing sensitive files
The spying implants steal or access files, such as users’ photos, contacts and GPS location data. Attackers also use the malware to access the device’s Keychain and unencrypted messages in popular messaging apps. Examples include Telegram, Whatsapp, WeChat and Apple’s iMessage app.
The research also suggests attackers are likely increasing their sites on popular mobile device users and unpatched vulnerabilities.