Hackers behind last year’s SolarWinds supply chain attack recently exploited an iOS vulnerability, putting millions of fully updated iPhones in jeopardy. The cyberattack was part of a phishing email effort aiming at collecting Web authentication credentials from governments in Western Europe.
The hackers that perpetrated this attack were also responsible for infecting Windows users with malware.
A “possibly Russian government-backed actor,” according to security experts Maddie Stone and Clement Lecigne, exploited an undiscovered iOS vulnerability to send malicious messages to government officials via LinkedIn.
SolarWinds hackers are at it again
Users were directed to domains that loaded malicious payloads on fully updated iPhones, and the vulnerability targeted iOS versions 12.4 through 13.7. It would gather authentication cookies from a variety of prominent websites, including Google, LinkedIn, Facebook, and Yahoo, and deliver them via a WebSocket to a hacker-controlled IP.
It not only affected iPhones, but also iPads running the same operating system.
In order for this attack to work, the victim merely needs to have Safari open. In browsers that support Site Isolation, such as Firefox and Chrome, the threat was neutralized.
This zero-day vulnerability was patched by Apple in March of this year, but it shows how quickly even the most secure systems can be exploited without the owners’ knowledge. It even impacted devices that were fully updated, in which case we’ll have to wait for future security patches.