Yesterday, Google Project Zero announced that they discovered a campaign exploiting a wide range of iPhone models and iOS versions in the wild. Google shared details about the exploits and the malware, but little about the campaign itself. This may be to protect business interests or it may be to stop a panic of those who may have visited the exploit servers (or maybe both). It is also possible that Google is working to notify victims and that is why they declined to share additional details
Google discovered exploits targeting iOS on “a small collection of hacked websites.” We don’t know the number of websites or how they are used. Google says the estimate the sites receive thousands of visitors per week.
The attackers used a watering hole attack, a technique that exploits web servers a victim would already visit without attacker enticement (e.g as part of their normal routine). This stands in opposition to a phishing attack where the victim responds to some attacker stimuli (e.g. a link in an email).
While watering hole attacks are nothing new, indiscriminate targeting is not the most common scenario. Further, iOS exploits are expensive and increasingly difficult to source. The use of iOS exploits to target every visitor to a given website is unprecedented.
Who did this?
In short, we don’t know who is responsible for the hack. Google has been intentionally vague about the identity of the hacked websites and the IP address used for command and control, both of which would be useful for attribution. But that doesn’t mean we can make some inferences based on what was released. Here’s what we know:
- iOS exploits are expensive. The attacker had many of them, indicating they are very well resourced. This likely removes nation states with limited resources as the culprit.
- The iPhone implant is sloppily coded. This suggests the attacker is not experienced in operational tradecraft.
- Google believes the attack was active for “at least two years.” This suggests that the use of these capabilities is not in response to a particular geopolitical event, but rather an is intended to fulfill an ongoing/longstanding intelligence requirement.
While we have a number of theories about the nation state behind the attack, we’ll wait to share them as our evidence at this time is circumstantial.
The implant appears relatively rudimentary, almost amateur hour. It has the following interesting operational issues:
- The implant beacons to a hardcoded IP address. The use of http://X.X.X.X instead of http://domain[.]com and this looks relatively suspicious, especially over many requests. IP addresses are lower on the Pyramid of Pain than domain names for a reason: attacker flexibility.
- The code posted by Google suggests that the IP address can’t be updated. This again hints towards inflexibility by the attacker.
- It uses HTTP for communications. With no HTTPS, all details of exfiltration can be observed by anyone monitoring the network. In the US/EU, we like to think of ISPs as relatively trusted. But in many other parts of the world, ISPs and telcos are part of enterprise threat models. HTTP traffic could be easily observed and the threat discovered.
- The implant uses a static boundary string for data submitted with POST requests. This should stand out like a sore thumb in traffic analysis.
Okay, but really: who did this?
Yeah, we’re still going to avoid naming (suspected) names. But when considering threats, we always focus on the intersection of:
Capability: In this case, capability involves the exploits and the implant. While the exploits are very complex, the implant is amateur hour level stuff. This highly suggests that the exploits and implant were not only developed by different teams, but teams with dramatically different skill levels. We assess with low confidence that the exploits were purchased and the implant was developed in-house, though examination of the actual exploits and implant samples could increase that confidence.
Intent: Assessing intent is always tricky, but here we can note a few points:
The attacker wants to target everyone who visits a group of hacked websites with VERY valuable exploits. Every time an exploit is used, it is put at risk of detection. Simply by visiting the website, the target has demonstrated that they are interesting enough to risk using the exploit. This suggests that the websites are themed in a very specific manner (e.g. not a general purpose website like Reddit).
The long running nature of the campaign suggests that the attackers are not deploying these capabilities in response to a recent geopolitical event.
Because the implant uses static values that are both easy to detect (boundary string) and unusual (HTTP to a direct IP address), it would have been easy to detect at ISP/telco scale in traffic patterns. We assess with low/moderate confidence that the attacker intended to target victims primarily in their own country where they could assert some level of control over their ISPs and telcos in case the implant communications were detected. This suspicious traffic crossing national boundaries would increase the likelihood of detection.
Finally, the use of a hardcoded IP address may also suggest that the attacker was not concerned with the C2 server being subject to a takedown. Of course, this may also simply be an OPSEC mistake.
Opportunity: The opportunity in this case are the hacked websites. We don’t know any details about the websites that were hacked so no assessments can be made there.
By visiting the websites, the victims selected themselves for exploitation. Given the limited details, we assess that the most likely groups targeted would be political dissidents (most likely) or terrorist sympathizers (less likely).
What about other exploits?
It seems unlikely that the only exploits staged on watering hole servers were for iOS. Google has not disclosed whether exploits targeting other platforms and software were used (and if so, what they were).
At Rendition Infosec, we want to thank Google Project Zero for bringing this campaign to the attention of the public.
Obviously this is a developing story and details will continue to emerge. As always, new information will change our understanding of the total threat picture and may invalidate earlier assessments.