Google Project Zero's security researchers have detected a highly sophisticated cyber-surveillance campaign that relied on trapped websites and 0-day flaws.
It is heavy. Google has just revealed the details of a particularly sophisticated espionage campaign, which allowed to hack softly iPhone tens of thousands of people. The hacking took place through a "small number of hacked websites" that targeted users in an undifferentiated way for "at least two years". "We estimate that these sites received thousands of visitors each week," said Ian Beer, a member of Google Project Zero and one of the best iPhone hackers, in a series of blog notes that details the technical aspects of these attacks.
The author of these attacks is not a small player. Thanks to an operational error of the attacker, Google was able to recover at the beginning of the year on these websites five different operating chains, covering the iOS 10 to iOS 12 systems. They relied on a total of fourteen vulnerabilities of two of which were 0-day at the time of their discovery (CVE-2019-7287, CVE-2019-7286). Given the risk, Google has given Apple a one-week delay to fix them. The patch in question was released on February 7, 2019, under the iOS version number 12.1.4.
Theft of sensitive data and geolocation
The existence of such an arsenal, whose value exceeds several million dollars in the market for cyber weapons, shows that this is a group of hackers who has invested "heavily" in piracy iPhone users in "some communities", says Google. And this is probably only part of the iceberg. "There are certainly other [campaigns of this type] that we have not yet detected," says Ian Beer.
The various operating chains allowed hackers to escape the Safari sandbox and execute arbitrary code with root privileges, which ultimately allowed them to run a fairly complete spyware program in the background. . This allowed, among other things, to steal the databases of the main messengers (WhatsApp, Telegram, iMessage, Hangouts, Gmail), siphon sensitive data such as the address book, photos or keychain IDs. GPS location data was also transferred every minute if the terminal was connected to the Internet. However, the cookie was not persistent and disappeared when the device was restarted.
Who is behind this campaign? Hard to say at this point. Google does not provide details on the identity of hacked websites or the profile of victims. In his blog note, Ian Beer alludes to cyber-surveillance of potential dissidents, suggesting that this is an operation of authoritarian government. For his part, security researcher Lukaz Olejnik is betting that this is a surveillance operation targeting ethnic minorities in China. But it's only an hypothesis.