iOS zero-day leaves iPhone users dangerously exposed

A pair of zero-day vulnerabilities in two recent versions of Apple’s iOS mobile operating system leaves users of Apple’s email apps open to attack and has probably been exploited by nation state-linked threat actors, according to researchers at ZecOps.

ZecOps said it found the vulnerabilities during a routine digital forensics sweep on iOS 12 and 13 devices, with the earliest triggers dating back to iOS 11.2.2 in January 2018, but seems to date back as far as iOS 6, which came out nearly eight years ago in September 2012.

The vulnerability can be exploited by sending a specially crafted email to the target’s mailbox, which enables attackers to trigger the vulnerability on MobileMail in iOS 12 or mailid in iOS 13, with the aim of achieving remote code execution on the target device, enabling them to leak, modify or delete emails.

Successful exploitation requires iOS 12 users to click on the email, but not in the case of iOS 13 users, making it particularly dangerous for newer iPhone and iPad models.

“We surmise with high confidence that these vulnerabilities … are widely exploited in the wild in targeted attacks by an advanced threat operator,” said ZecOps’ threat research team in a disclosure blog.

The team found targets including a US-based Fortune 500 organisation, a Japanese telecoms carrier, managed security service providers in Saudi Arabia and Israel, and individuals including a prominent German citizen and at least one journalist.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a proof of concept [PoC] grade and used ‘as is’ or with minor modifications,” said the researchers.

“While ZecOps refrains from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organisation is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

ZecOps and Apple have been liaising since the vulnerabilities were uncovered in February, and Apple patched both in a publicly available beta patch released over 15 and 16 April.

ZecOps said it had decided to disclose the bugs before the release of a full patch because of its discovery of triggers in the wild.

It said it was likely that the threat actors exploiting them would ramp up their activity after the release of the beta patch, so it was better for at-risk organisations to take steps to minimise their exposure.

Satnam Narang, principal research engineer at Tenable, noted that there was potential for further danger to iOS users because combining the flaws with an unpatched kernel vulnerability could give attackers full control over the device, not just the email app.

“While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners,” he said. “In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s Gmail.”

Christoph Hebeisen, director of security intelligence research at Lookout, said the vulnerabilities highlighted a growing trend of attacks against mobile devices, which are coming to be seen as valuable targets for surveillance and spying.

“Not only do these devices offer access to user documents, communications and cloud accounts, they can also act as a live surveillance tool by virtue of their sensors, such as the microphone, camera and GPS device,” he said.

“This incident demonstrates how even the most well-maintained, fully upgraded mobile operating systems can be susceptible to attacks and compromise. Third-party security solutions can detect and defend against the impact of device compromise, malicious apps and phishing attacks against mobile devices."

Chris Clements, vice-president of solutions architecture at Cerberus Sentinel, added: “You must assume that any attacker with enough ability or financial backing has access to sure-fire exploits that can take control of computers or devices running any operating system or application.

“These exploits are specially designed to go undetected by antivirus, firewalls and other front-line security controls. The only way to defend against such attacks is to have a culture of security with defence-in-depth capabilities, including close monitoring of security logs and anomalous network traffic.”

Full technical details of the exploit can be read on ZecOps’ website.