Google TAG uncovers 0-day exploit chain targeting iPhones
Apple Swiftly Addresses In-the-Wild iPhone Exploit Chain
Google's Threat Analysis Group (TAG) and The Citizen Lab recently identified an in-the-wild 0-day exploit chain targeting iOS devices.The exploit chain, developed by the commercial surveillance vendor Intellexa, is used to surreptitiously install its Predator spyware onto targeted devices.
The bugs were reported to Apple, which swiftly patched them in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993.
According to Google TAG, the Intellexa exploit chain was delivered via a "man-in-the-middle" (MITM) attack. When the target went to any 'http' site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me. The site would then redirect the target to the exploit server, sec-flare[.]com. This MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls.
Once the attacker successfully redirected the target to their exploit server, the chain was executed. The iOS exploit chain included three vulnerabilities (you can find details about them here)
- CVE-2023-41993: Initial remote code execution (RCE) in Safari
- CVE-2023-41991: PAC bypass
- CVE-2023-41992: Local privilege escalation (LPE) in the XNU Kernel
Thereafter, a small binary was executed to decide whether or not to install the full Predator implant onto the device. However, TAG was unable to capture the full Predator implant.
Additionally, the attackers had an exploit chain to install the Predator spyware software on Android devices in Egypt. These exploits were delivered via the MITM injection and via one-time links sent directly to the target.
"This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users. TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward," Maddie Stone, Threat Analysis Group, wrote in a blog post.