ZecOps specialists released a report in which they talked about the old 0-day vulnerability in iOS, which hackers have used since 2018 or even longer. So, the problem was reproduced even in iOS 6, released in 2012.
According to experts, exploitation of the vulnerability does not require any interaction with the user. So, it is enough for attackers to simply send a malicious email to the victim.If the user receives mail or opens Apple Mail, the exploit will work. At the same time, the attack is not relevant for Gmail and other email clients.
“The vulnerability allows remotely run arbitrary code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of the vulnerability will allow an attacker to steal, modify and delete emails,” – says the experts’ report.
Researchers emphasize that the exploitation of this 0-day alone does not allow hackers to establish full control over the device; this requires another exploit and vulnerability in the kernel of the OS. Because of this, analysts believe that there is still at least one vulnerability in the arsenal of attackers and an exploit for it. Thus, it turns out that hackers exploit the out-of-bounds writing issue and another issue related to heap overflow.
Also, according to analysts, it will be difficult for users to understand whether they have become a victim of an attack, since attackers delete malicious messages immediately after gaining remote access to the victim’s device.
So far, there have been attempts to attack individuals and Fortune 500 companies in North America, the CEOs of a Japanese carrier company, a German provider of managed security services, a European journalist and so on.
ZecOps experts note that the detected attacks fit well with the “profile” of one well-known government hack group, but still do not disclose its name, because of the fear to mistaken with attribution.
Analysts notified Apple about the detected zero-day problem as early as February 19 this year, and the company began to investigate what was happening. On April 15, 2020, Apple released a beta version of iOS 13.4.5, where the vulnerability was fixed. However, this week the situation changed: the researchers decided to talk about the problem publicly before the release of the patch and the release of the stable version of iOS 13.4.5, since ZecOps detected attempts to exploit the 0-day bug in the logs of its clients.
Since there is no publicly available patch yet, iOS users are advised to disable Apple Mail and use Gmail, Outlook, or another email client instead.
This is not the first time that experts have discovered old and actively used by hackers bugs in iOS, we told last year that Google experts found 14 vulnerabilities in iOS that attackers used for several years, and Trend Micro experts reported that iOS URL schemes allow conducting App-in-the-Middle attack.