Apple Safari Leaks Cookies, so ‘Russia-Backed’ Hackers Attack Targets
Apple’s under fire yet again for an iOS security bug. And yet again it’s a vulnerability in WebKit—the open source code behind the Safari browser.
It appears that hackers have been launching targeted attacks, exploiting the bug to steal authentication cookies. That allowed them to log in to the target’s Facebook, Gmail, OneDrive, etc.
They’re said to be backed by the Russian government. In today’s SB Blogwatch, мы боимся г-на Путина.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Trololo goes Metal.
iOS WebKit FAIL
What’s the craic? Lorenzo Franceschi-Bicchierai reports—“Annoying LinkedIn Networkers Actually Russian Hackers”:
Russian government”
Most LinkedIn spam is just annoying. But … Google’s Threat Analysis Group published new research … detailing several hacking campaigns leveraging a series of zero-day exploits.
…
One of the hacking campaigns … relied on a zero-day in WebKit, the browser engine developed by Apple, which is used in [all] browsers for iOS. This vulnerability (named CVE-2021-1879) was patched by Apple on March 26.
…
When the targets of this campaign clicked on the malicious links sent via LinkedIn messages, they would visit a website controlled by the hackers, which triggered the exploit on their iPhones. … Google described the hacking group as “likely Russian government-backed.”
And Dan Goodin adds—“iOS zero-day let SolarWinds hackers compromise fully updated iPhones”:
Four in-the-wild zero-days”
Attacks targeting CVE-2021-1879 … redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users.
…
In that instance, Microsoft said … the hackers behind the SolarWinds supply chain attack first managed to compromise an account belonging to USAID [to] send emails that appeared to [be from] the US agency. The federal government has attributed last year’s supply chain attack to hackers working for Russia’s Foreign Intelligence Service [SVR]. … Other names used to identify the group include APT29, the Dukes, and Cozy Bear.
…
The iOS vulnerability was one of four in-the-wild zero-days Google detailed. … The other three were:
CVE-2021-21166 and CVE-2021-30551 in Chrome
CVE-2021-33742 in Internet Explorer
Horse’s mouth? Google Maddie Stone and Clement Lecigne TAG-team—“WebKit (Safari): CVE-2021-1879”:
Security measures”
The four exploits were used as a part of three different campaigns. As is our policy, after discovering these 0-days, we quickly reported to the vendor and patches were released to users to protect them from these attacks.
…
CVE-2021-1879 … was discovered by TAG on March 19, 2021, and used by a likely Russian government-backed actor … to target government officials from western European countries. [The] exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo.
…
Over the last decade, we believe there has been an increase in attackers using 0-day exploits. Attackers needing more 0-day exploits to maintain their capabilities is a good thing — and it reflects increased cost to the attackers from security measures. … We’d be remiss if we did not acknowledge the quick response and patching [by] Apple.
So it relied on a user clicking a malicious link? DamnOregonian blames Apple, not the victim:
Correctly functioning browser”
One has a reasonable expectation that clicking a link wouldn’t trigger the browser to gladly send every authentication cookie it had to an arbitrary IP address out on the internet.
…
This wasn’t a user’s lax security awareness. It was a major flaw in a browser that destroyed any rational concept of security. … Any correctly functioning browser would not have this issue.
Is Apple’s choice of programming language to blame? So thinks Aristotle Hume:
Wise up”
Another exploit that exists (due to a “use after free”) because of … a language that allows memory unsafe behaviour. The industry needs to rapidly wise up to this.
And Apple makes it harder to patch, thinks Avon B7:
iOS upgrade”
A security patch … should not require an entire iOS upgrade. … Especially a zero-day … fix.
But ukeepbelieving wishes a plague on all their houses:
Unsound”
Your infotech is owned because it is fundamentally unsound. There’s a huge gap between cutting edge security research … and the implementation of consumer … OS’s.
Perhaps it’s Apple’s fault for telling people iOS is the secure choice? Solandri explains:
Challenger disaster”
Another problem is complacency. When you promote your system as being ultra-secure, it breeds complacency in end-users. … They end up more likely to engage in risky behaviors, thus potentially increasing overall risk above that of a less-secure system where users know they have to watch out for themselves.
NASA encountered the same thing in the aftermath of the Challenger disaster. … Each part was being inspected by three separate inspectors prior to a launch. … Each inspector figured since two other people would also be inspecting the same part, it would be OK if they occasionally rushed an inspection. … Three inspectors were catching fewer problems than if they’d only had one or two inspectors.
But even if the software works, the problem exists between keyboard and chair. Here’s ASalazarMX’s PEBKAC story:
Sheer luck”
Sigh. We had to disable Windows Scripting Engine company-wide because someone complained that his invoice won’t download no matter how many times he tried. His invoice in this case was a ransomware payload that the browser was fortunately stopping.
…
Chrome identified the ZIP download as malicious. It was sheer luck, otherwise the user would have opened the ZIP and executed the obfuscated VBS inside.
Meanwhile, this Anonymous Coward has had enough of “likely” attributions:
Russia! Russia! Russia! … Just ****ing STOP!
And Finally:
The original, with captions:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Nathan Dumlao (via Unsplash)