Cybersecurity company ZecOps claims to have discovered what appear to be exploitation attempts using a new vulnerability in iOS. Apple is investigating the case, and the company is preparing a security update that will be available soon.
Discovery of a new exploit on iOS and Mail
ZecOps said it found evidence that hackers have been using an iOS bug since at least January 2018. Researchers say this new exploit on iOS appears to have been exploited by sending emails to well-known iOS users.
ZecOps researchers say the attack is a “zero-click” feat that does not require users to interact with the email to be triggered. The exploit is triggered once the user receives the email or opens the Apple Mail application. The exploit does not fire in Gmail or other email clients, the researchers said.
“The vulnerability allows remote code execution in the context of MobileMail (iOS 12) or maild (iOS 13),” said the ZecOps team. “Successful exploitation of this vulnerability would allow the attacker to take, modify and delete emails.”
The security company has declared that the exploit does not allow control of the entire device, and that an attacker would need an additional vulnerability of the iOS kernel to do this. “We suspect that these hackers are using another vulnerability. An investigation is currently underway,” said ZecOps.
The company said that to date it has detected attempts to exploit targets such as
- individuals from a Fortune 500 organization in North America
- An executive of an Internet business in Japan
- A VIP in Germany
- Cybersecurity companies in Saudi Arabia and Israel
- A journalist in Europe
- An executive from a Swiss company
“We believe that these attacks are linked to a group of pirates who carry out missions for a state. This group bought the exploit from a third-party researcher via a proof of concept (POC) and used it as it is or with minor changes, “said ZecOps. ZecOps did not want to name the group which, according to him, exploits this bug.
Apple investigates, patch arrives
ZecOps said it informed Apple on February 19. Initially, ZecOps reported what appeared to be a common security bug, and worked with Apple to correct the problem. Apple released a fix for this bug on April 15, with the release of the beta version of iOS 13.4.5.
Things changed, however, on Monday when ZecOps said it had discovered evidence in client log logs of attempted exploitation. The company released its report today to notify iOS users of the attacks and the need to install iOS version 13.4.5 as soon as it becomes available.
ZecOps said that if it detected a possible exploitation of the bug until January 2018, the bug could have been exploited even earlier. The company said it reproduced the problem from version 6 of iOS, released in 2012.
Additional technical details about the vulnerability and its inner workings are available to Apple users and security experts in the ZecOps’ technical write-up document available here.
Until a fix is available, ZecOps recommends that users disable the Apple Mail client and use Gmail, Outlook, or another email application instead.