Malicious Campaign Exploits Safari Zero-day

Apple has confirmed the zero-day is being actively exploited and describes the bug as, “Processing maliciously crafted web content may lead to universal cross-site scripting”. This would allow an attacker to generate a malicious link, whereupon clicking the link, executes arbitrary code and steals sensitive data from the victim's device.

Researchers at Google’s Threat Analysis Group (TAG) discovered this Safari vulnerability on March 19, 2021, after it had been exploited in the wild. Google researchers claim that the exploit is likely used by Russian, government-backed actors in a campaign leveraging LinkedIn’s platform. The threat actors used LinkedIn Messaging to send maliciously crafted links to the target victims. Upon visiting the link from any iOS device running version 12.4 through 13.7, they would be redirected to an attacker-controlled domain serving various payloads, eventually exploiting CVE-2021-1879 as the final payload.

Google researchers state the attacker’s exploit would disable Same-Origin-Policy, an Apple security feature built into web browsers to prevent malicious websites from accessing sensitive data from restricted locations. The victim would need an open session from Safari for attackers to successfully exfiltrate authentication cookies from websites such as Google, Microsoft, LinkedIn, Facebook and Yahoo.

This vulnerability was successfully patched by Apple with the release of iOS 14.4.2, iPadOS 14.4.2 and watchOS 7.3.3. Patches have also been released for older devices with iOS 12.5.2.

As always, Jamf urges users to “patch fast and patch often,” to the latest operating system versions to stay protected against known Apple threats and vulnerabilities.

Indicators of Compromise (IoC)

• supportcdn.web[.]app
• vegmobile[.]com
• 111.90.146[.]198