iOS Zero-Day Let SolarWinds Hackers Compromise Fully Updated iPhones (arstechnica.com) 22
The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft. Ars Technica reports: In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a "likely Russian government-backed actor" exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn. Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.
The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium -- the name the company uses to identify the hackers behind the SolarWinds supply chain attack -- first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency's account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency. In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine.
The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium -- the name the company uses to identify the hackers behind the SolarWinds supply chain attack -- first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency's account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency. In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine.
Re:Russia! Russia! Russia! (Score:4, Insightful)
Further, I suspect that they are not twirling their Snidely Whiplash mustaches saying, "Aha! He didn't say we couldn't attack THIS!"
I get that you don't like Biden. Really, I do.
But be fucking realistic.
The smoldering ashes of a state that arose from Our Great Adversary of the Cold War isn't populated by fucking morons who have no idea what the fuck they're doing when it comes to disruption of foreign regimes.
Ah, a politiball fan, I see (Score:2)
Actually I expect Biden to be one of the better recent presidents.* I suspect history will record him as a sold, though unremarkable president.
Where you may have gotten the impression otherwise is that I'm not a political fanboi rooting for my favorite politiball team.
So him being okay doesn't mean that everything he does is automatically genius.
Giving Russia the okay to attack, communicating that he won't respond strongly as long as they don't attack those 16 targets, communicates extreme weakness. It's a
Solid, not "sold" (Score:2)
That should read "I suspect history will record him as a solid, though unremarkable, president."
Re: (Score:2)
1) President Biden gave them a list of 16 targets he doesn't want them to attack - where we're most vulnerable. Maybe that'll help.
He set out a list of red-lines. Told them if they attack critical infrastructure again, there's gonna be hell.
Maybe all talk, maybe not. What the fuck is the alternative? Launch a fucking nuke?
2) Some say that telling your adversary exactly where you're most vulnerable is - not smart. Nonsense. I'm sure Pu
Re: (Score:2, Informative)
Christmas in July. (Score:3)
So in other words slashdot can do the smug dance over Apple as well as Microsoft.
Re: (Score:1)
It's good to know that iOS is secure.
Re: (Score:1)
This is the problem with a monoculture. (Score:5, Interesting)
If Apple were forced to allow competing browser engines, only about half of all iOS users would be at risk. Because there's only one browser engine allowed, all iOS users are at risk.
Open up iOS.
Another problem is complacency (Score:5, Interesting)
NASA encountered the same thing in the aftermath of the Challenger disaster. One of the problems they uncovered was too many inspectors. Each part was being inspected by three separate inspectors prior to a launch. NASA figured triple inspections would greatly reduce the chance of a problem being missed. It actually turned out to increase the chance of a problem being missed. Each inspector figured since two other people would also be inspecting the same part, it would be OK if they occasionally rushed an inspection or even skipped it altogether. After all, what are the chances all three of them would slack on inspecting the same part? Well, it turned out to be high enough that three inspectors were catching fewer problems than if they'd only had one or two inspectors.
Re: (Score:3)
When you promote your system as being ultra-secure, it breeds complacency in end-users. They figure they're safe because Apple "has their back". And they end up more likely to engage in risky behaviors, thus potentially increasing overall risk above that of a less-secure system where users know they have to watch out for themselves.
Watch out for themselves? The most common way to attack someone digitally is still password compromise. Take a good hard look at any "Top XX Worst Passwords" list over the last 30 years. You'll notice they haven't changed. We have MFA to help protect against the "wordpass" crowd. They ignore it. Too much work.
Been doing this way too long to not have a fully vetted and justified-yet-jaded view that people don't even want to watch out for themselves. Ignorance continues to be very blissful. And peopl
Re: (Score:3)
One has a reasonable expectation that clicking a link wouldn't trigger the browser to gladly send every authentication cookie it had to an arbitrary IP address out on the internet.
I.e., this wasn't a user's lax security awareness. It was a major flaw in a browser that destroyed any rational concept of security.
I.e., a non-webkit browser, or rather, any correctly functioning browser would not have this issue.
Alternatively, you're right. We could stop clickin
Re: (Score:3, Insightful)
If Apple were forced to allow competing browser engines, only about half of all iOS users would be at risk.
Yes, and when Apple fixes this problem and the user base applies the patch, they would only have to still worry about half of all iOS users getting abused by 3rd party browsing engines they don't maintain or update.
The glass-half-empty problem, can be viewed many ways depending on what side of the table you're on.
Re: This is the problem with a monoculture. (Score:3)
Hmm (Score:3)
Seems Apple got lucky they did not make it worm via the contact list or iMessages/WhatsApp.
Re: (Score:3)
A worm would created too much attention. A targeted attack is much more dangerous.
The vital information is missing (Score:5, Informative)
The most vital information for any iOS user is: Has this bug been fixed, but it is neither available in the summary nor the article. I guess because it's more sensational to do so.
The bug has been fixed for a while, so there's no action to take:
"This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3."
https://cve.mitre.org/cgi-bin/... [mitre.org]
We're at iOS 14.6 currently.
Re: (Score:3)