Two zero-day vulnerabilities that affects iPhone and iPad were found to be used in a series of ongoing remote attacks which was targeting iOS users since at least January 2018.
The zero-day was discovered by a cybersecurity startup ZecOps and according to their researchers, the scope of the attack includes sending a specially crafted email to a victim’s mailbox that activates the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13.
The security flaws namely Out-of-bounds Write (OOB Write) and a Remote Heap Overflow which when exploited successfully will let the attacker to run remote code on the compromised iPhone and iPad devices allowing them to get access to leak, edit and delete emails.
The researchers found these vulnerabilities while performing a routine iOS Digital Forensics and Incident Response (DFIR) investigation targeting against iOS 11.2.2 users through the default Mail application.
The attacks are pointed to as far as January 2018, but there is a possibility that the zero-day was used in related attacks even earlier.
The believe that these attacks are the work of some nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade. ZecOps didn’t attribute the attacks to a specific threat actor.
ZecOps found several highly-targeted attacks exploiting these iOS zero-days including:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise
All devices running iOS 6 and later including the latest version iOS 13.4.1 are vulnerable to attacks. iOS devices running even older versions might also be exposed but they were not tested by the researchers.
On iOS 13, user interaction is not required for exploiting the vulnerabilities but on iOS 12 users have to click on the email for their iPhone or iPad to get hacked.
The researchers advise that if the patch to these versions are not available, the users must ensure not to use Mail application, but use Outlook or Gmail temporarily as they are not vulnerable for the time being.
It is found that at least six organizations were affected by this vulnerability and the full scope of misuse of this vulnerability is huge.
On April 15th, Apple has already issued a patch for the zero-days in iOS 13.4.5 beta 2 together with a security fix to be made available for users of stable iOS versions soon.