Skip to main content

Safari Zero-Day Used in Malicious LinkedIn Campaign



Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.

That’s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday posted a blog shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities-the prevalence of which are on the rise-before they were addressed by their respective vendors.

TAG researchers discovered the Safari WebKit flaw, tracked as CVE-​2021–1879, on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in an update later that month.

Before the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.

“If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,” they wrote.

The exploit, which targeted iOS versions 12.4 through 13.7, would turn off Same-Origin-Policy protections on an infected device to collect authentication cookies from several popular websites-including Google, Microsoft, LinkedIn, Facebook and Yahoo-and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.

Moreover, the campaign targeting iOS devices coincided with others from the same threat actor-which Microsoft has identified as Nobelium-targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks in a report posted online in May, the researchers added.

Nobellium is believed to be a Russia-based threat group responsible for the expansive cyber-espionage SolarWinds campaign, which affected numerous U.S. government agencies and tech companies, including Microsoft.

Other Zero-Day Attacks


Google researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to Google TAG’s Shane Huntley. Two of those vulnerabilities- CVE-2021–21166 and CVE-2021–30551-were found in Chrome, and one, tracked as CVE-2021–33742, in Internet Explorer.

CVE-2021–21166 and CVE-2021–30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.

“Both of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,” Stone and Lecigne wrote. “The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.”

When prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info-which included screen resolution, timezone, languages, browser plugins, and available MIME types-would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.

Researchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021–26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.

“This happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,” Stone and Lecigne explained.

At the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.

Why There is an Increase in Zero-Days?


All in all, security researchers have identified 33 zero-day flaws so far in 2021, which is 11 more than the total number from 2020, according to the post.

While that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers “believe greater detection and disclosure efforts are also contributing to the upward trend,” they wrote.

Still, it’s highly possible that attackers are indeed using more zero-day exploits for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more zero-day vulnerabilities for functional attack chains, they said.

The growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target-hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.

Finally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.

“Due to advancements in security, these actors now more often have to use 0-day exploits to accomplish their goals,” Stone and Lecigne wrote.

Originally published at https://threatpost.com on July 15, 2021.

Comments

Post a Comment

Popular posts from this blog

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof | CyberNews

  Updated on 07/04: We updated our personal data leak checker database with more than 780,000 email addresses associated with this leak . Use it to find out if your LinkedIn profile has been scraped by the threat actors. Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn. An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author. The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more. To see if your email address has been exposed in this data leak or other security breaches, use our personal data leak checker with a library of 15+ billion breached records . While users on the hacker foru...
Post a Comment
Read more

[Update] Twitter down, not working on Android | How to fix Twitter crashing issue | DigiStatement

In our earlier posts, we reported that a lot of users are posting about the crashing issue with the Twitter app on the Android platform. Some users posted that the app is not opening after updating it to the latest version on Google Play Store, while some reported that they are using the older version of the Twitter app and still facing the crashing issue. Well, Twitter officially acknowledged the issues with the Android app of Twitter and posted an update with the official account of Twitter Support. In the tweet, Twitter also suggested its users to not update and download the latest version of the app. You can check out the official tweet below. How to fix Twitter crashing issue - If you are still using the older version of the Twitter app, first you need to turn off the auto-update feature in the Google Play Store. For this, go to the Play Store app then head to Settings > Auto-Update Apps > Don’t Auto-Update Apps . You can enable this feature later, as it will s...
Post a Comment
Read more

Facebook bows to Singapore's 'fake news' law

Facebook has added a correction notice to a post that Singapore’s government said contained false information. It is the first time Facebook has issued such a notice under the city-state’s controversial “fake news” law. Singapore claimed the post, by fringe news site States Times Review (STR), contained “scurrilous accusations”. The note issued by the social media giant said it “is legally required to tell you that the Singapore government says this post has false information”. Facebook’s addition was embedded at the bottom of the original post, which was not altered. It was only visible to social media users in Singapore. Singapore passes controversial fake news law Concern over Singapore’s anti-fake news law Singapore: What you need to know In an emailed statement to the BBC, Facebook said it had applied a label to a post “determined by the Singapore government to contain false information”, as required under the “fake news” law. The company — which has its Asia ...
Post a Comment
Read more