Hackers Exploited 0-Day iOS Flaw To Infiltrate Government Officials' iPhones

Yesterday, Google TAG researchers Maddie Stone and Clement Lecigne reported that Nobelium, also known as Cozy Bear or APT29, used “LinkedIn Messaging to target government officials from western European countries by sending them malicious links.” If the victim clicked this link on an iOS device, they would be redirected to an attacker-controlled domain that served next-stage payloads.
After running checks to see that the victim’s device was real, the domain would deliver a final payload to exploit CVE-2021-1879. This would turn off “Same-Origin-Policy” protections so that the attacker could collect authentication cookies from popular websites, provided the victim had them open. The attack also hinges on whether the device was running iOS 12.4 through 14.7, as the security flaw has since been fixed.

Interestingly, the researchers report that this campaign coincides with an election-fraud-themed malware campaign that appeared to have originated from USAID after a constant contact account was breached. We reported on this back in May 2021, stating that the threat actors were targeting human rights and humanitarian organizations worldwide as well as several government agencies in the US and Europe.

Though it is hard to extrapolate what the end goal is, in the short term, it is clear that the Russian-backed attackers are targeting high-level executives and government officials. Furthermore, it should be abundantly clear not to click on random links in emails, LinkedIn messages, or anywhere for that matter. Even if you do not feel the attack targeted you, it is entirely possible to be accidentally entangled, leading to a world of cybersecurity problems.