Trident - Sophisticated, persistent mobile attack against high-value targets on iOS
Trident - Sophisticated, persistent mobile attack against high-value targets on iOS
(blog.lookout.com)
Citizen Lab and Lookout have uncovered an active threat (called "Trident") of state-sponsored actors using a combination of three zero-days in iOS to essentially perform a stealth jailbreak in a target device and exfiltrate all communication (calls, texts, email, and other app specific data). The entry point is via spear-phishing (email, text), in which the victim clicks on a link that exploits the first vulnerability in WebKit:
CVE-2016-4655: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.Apple has already provided fixes for these, so install iOS 9.3.5 ASAP.
CVE-2016-4656: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
CVE-2016-4657: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users
Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users
(researchcenter.paloaltonetworks.com)
Palo Alto Networks posted an analysis of XcodeGhost, the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers.
The primary malicious component in the XcodeGhost infected version is “CoreServices”. XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge.The malware-infected apps then send device information, potentially including credentials to several domains: crash-analytics[.]com, icloud-diagnostics[.]com and icloud-analysis[.]com.
[...] As of this writing, we see 39 iOS apps being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions of users. This includes the popular WhatsApp clone WeChat.
MDSec Blog: Apple iOS Hardware Assisted Screenlock Bruteforce
MDSec Blog: Apple iOS Hardware Assisted Screenlock Bruteforce
(blog.mdsec.co.uk)
Works even with the “Erase data after 10 attempts” configuration setting enabled. Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.Interesting approach in that by cutting power it prevents iOS from storing the attempt information. Long story short, always use a passphrase, not a PIN.