Two zero-day vulnerabilities affecting iPhone and iPad devices were found by cybersecurity startup ZecOps after the discovery of a series of ongoing remote attacks that have targeted iOS users since at least January 2018.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” ZecOps researchers said.
Successfully exploiting the security flaws — an Out-of-bounds Write (OOB Write) and a Remote Heap Overflow — enables the attackers to run remote code on the compromised iPhone and iPad devices allowing them to gain access to, leak, edit, and delete emails.
“Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability,” ZecOps further explained.
Nation-state hackers behind ongoing attacks
The researchers discovered the remote attacks following a routine iOS Digital Forensics and Incident Response (DFIR) investigation while they were targeting against iOS 11.2.2 users through the default Mail application.
While initial signs pointed at the attacks going as far as January 2018, it is possible that the zero-day was used in related attacks even earlier.
“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications,” ZecOps said.
ZecOps detected multiple highly-targeted attacks exploiting these iOS zero-days including:
• Individuals from a Fortune 500 organization in North America
• An executive from a carrier in Japan
• A VIP from Germany
• MSSPs from Saudi Arabia and Israel
• A Journalist in Europe
• Suspected: An executive from a Swiss enterprise
Although ZecOps didn’t want to attribute the attacks to a specific threat actor, the researchers said that they are aware of at least one organization “selling exploits using vulnerabilities that leverage email addresses as a main identifier.”
You’ve Got (0-click) Mail! Unassisted iOS Attacks via MobileMail/Maild in the Wild via @ZecOps Blog https://t.co/tHbq1ZUuom
— ZecOps (@ZecOps) April 22, 2020
All devices running iOS 6 and later are vulnerable
All iPhones and iPad iOS 6 or above — including the latest version iOS 13.4.1 — are vulnerable to attacks, although iOS devices running even older versions could also be exposed given that ZecOps stopped testing after iOS 6.
On iOS 13, exploiting the vulnerabilities requires no user interaction, while on iOS 12 users have to click on the email to have their iPhone or iPad hacked.
Attackers can also try to exploit the security issue multiple times with no apparent signs on iOS 13 besides a temporary slowdown, while on iOS 12 the Mail application will suddenly crash.
If the attacks fail, the targets will see no signs on iOS 13, while on iOS 12 emails with “This message has no content” messages will show up in the inbox.
“If you cannot patch to this version, make sure to not use Mail application – and instead to temporarily use Outlook or Gmail which, at the time of this writing, were not found to be vulnerable,” ZecOps advises.
“With very limited data we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous. We are confident that a patch must be provided for such issues with public triggers ASAP.”
Apple has already included a patch for the zero-days in iOS 13.4.5 beta 2 released on April 15, with a security fix to be made available for users of stable iOS versions soon.
Zero-day (aka 0day or 0-day) vulnerabilities are security bugs unknown or not yet patched by the vendor thus exposing devices running the vulnerable software or using the vulnerable hardware to attacks.
The iOS zero-days discovered by ZecOps aren’t the first ones Apple has had to patch so far, with two actively exploited ones having been patched in iOS 12.1.4 and a couple of others receiving fixes after being exploited in the wild as part of five privilege escalation exploit chains.
Zero-day exploit acquisition platform Zerodium decreased payouts for iOS zero-days in September 2019, with Apple iOS full chain (1-Click) exploits with persistence dropping to $1,000,000 from $1,500,000, while iMessage RCE + LPE (1-Click) exploits without persistence got a $500,000 reduced price tag from the previous one of $1,000,000.
Zerodium’s CEO Chaouki Bekrar told BleepingComputer at the time that “the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some [of] them.”