The Mail application in iOS is affected by two critical zero-day vulnerabilities that appear to have been exploited in targeted attacks since at least January 2018, cybersecurity automation company ZecOps reported on Wednesday.
According to ZecOps, the vulnerabilities have existed since iOS 6, a version released in 2012. The company reported its findings to Apple in February and March, and notified the tech giant of attacks exploiting the flaws. The vendor has patched the weaknesses in iOS 13.4.5 beta. Other email apps for iOS, such as Gmail and Outlook, do not seem to be impacted so using these applications is recommended for preventing attacks until Apple rolls out the patch to all users.
The vulnerabilities, described as out-of-bounds write and heap overflow issues, affect the MobileMail application on iOS 12 and maild on iOS 13, and they can be exploited by sending specially crafted emails to the targeted user. Exploitation of the flaws can result in remote code execution in the context of the targeted application, allowing the attacker to view, modify or delete emails.
ZecOps researchers believe that the threat actors who exploited these flaws also combined them with a kernel vulnerability that may have given them full access to the compromised device.
The attack does not require any user interaction on iOS 13 (i.e. zero-click attack); opening the Mail app in the background is enough to trigger the exploit. On iOS 12, the targeted user needs to click on the malicious email to trigger the exploit — zero-click attacks are possible on iOS 12 if the attacker can control the mail server.
“Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s),” ZecOps said in a blog post.
The cybersecurity firm says it’s aware of attacks aimed at individuals at a North American Fortune 500 company, a VIP from Germany, an executive from a carrier in Japan, a journalist based in Europe, managed security service providers (MSSPs) in Israel and Saudi Arabia, and possibly an executive at a Swiss organization.
ZecOps researchers determined that exploitation can result in a temporary slowdown or a crash of the email application, but victims should not see other suspicious behavior. Moreover, the attacker can delete the malicious email after exploitation to cover their tracks.
“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications,” ZecOps said. “While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”
ZecOps has released technical information about the vulnerabilities and attacks, and it soon plans on publishing proof-of-concept (PoC) exploit code as well.