For at least two years, an unknown group of attackers was using several complex chains of exploits for vulnerabilities in iOS to compromise the iPhones of visitors to a handful of hacked websites and install a piece of malicious software that could steal any information on the device and send real-time location tracking data back to the attackers.
The exploit chains were in use from around the time that iOS10 was released in September 2016 up through the beginning of 2019 and each individual chain worked against the latest, fully patched version of iOS available at the time. Researchers with Google’s Threat Analysis Group discovered the hacked websites that the attackers were using in early 2019 and eventually uncovered the five individual exploit chains. Working with researchers from Google’s Project Zero, the team analyzed the exploits, the attack techniques, the vulnerabilities the exploits targeted, and the victim profiles and pieced together the details of a long-running, expertly crafted campaign targeting iPhone users.
Two of the vulnerabilities that Project Zero discovered were still unpatched at the time, and the team reported the bugs to Apple, which released an out-of-band update for iOS in February to fix them. Interestingly, unlike many campaigns that use zero day vulnerabilities, this campaign didn’t target a small group of users.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Ian Beer of Project Zero wrote in one of a series of detailed posts on the iOS attack campaign.
“TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
The attack scenario in this campaign, known as a watering hole attack, is a common one but it’s more often used in lower-level campaigns carried out by cybercrime groups. The technique relies on victims happening upon the hacked sites on their own, rather than being directed to the sites through a spear phishing campaign. The combination of spear phishing, zero day vulnerabilities and exploit chains that work against fully patched iOS devices is more indicative of a nation-state campaign than a cybercrime operation.
The malware that this campaign installed on victims’ devices also was quite sophisticated. It has the ability to access unencrypted messages stored on the device by apps including iMessage and WhatsApp, both of which encrypt messages from end to end. The implant also makes copies of the photos on a victim’s device and the entire contacts database and uploads the contents of the device’s keychain, which contains the victim’s credentials and other sensitive data. In short, the implant is the kind of malware that attackers dream of having on an iPhone.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly."
“There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system. The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds,” Beer said.
“The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage.”
The implications of this attack campaign are quite interesting. Most campaigns with this level of effort, investment, and expertise are constructed to target a relatively small number of people. That could be a handful of diplomats or political dissidents in a specific country or it could be executives at a few companies in a specific industry. The financial and technical resources needed to develop the exploit chains as well as the implant are significant, which limits the number of groups capable of producing them. This is the kind of work most often associated with intelligence agencies and other nation-state affiliated adversary groups, but those groups typically don’t expend their resources on indiscriminate watering hole attacks.
For people who don’t necessarily fall into a high-risk group, this research underscores the fact that high-level adversaries may not be targeting them specifically, but exploitation is still a possibility.
“Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group,” Beer said.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”