Fortunately, the bugs were patched in iOS 13.4.5 beta which was released last week. Unfortunately, it is highly likely that both bugs were exploited in the wild by an advanced threat actor since 2018, say researchers at ZecOps.
iOS Bugs Widely Exploited in the Wild
How were the attacks carried out? As seen in plenty other malicious scenarios, the attack starts with sending a specially crafted email to a victim’s mailbox. The malicious email triggers the vulnerability in the context of iOS MobileMail application on iOS 12 or mailid on iOS 13.
Based on ZecOps Research and Threat Intelligence, the researchers believe “with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s)”.
The researchers also believe that the attacks are connected to “at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications”.
At least one hackers-for-hire company is selling exploits using vulnerabilities that take advantage of email addresses as a main identifier.
Who has been targeted?
Individuals from a Fortune 500 organization in North America are among the targets as welll as
an executive from a carrier in Japan, the report said. Other targets include a VIP from Germany,
MSSPs from Saudi Arabia and Israel, a journalist in Europe, and possibly an executive from a Swiss company.
What versions of iOS are affected?
“All tested iOS versions are vulnerable including iOS 13.4.1,” the report says. Based on the researchers’ data, the vulnerabilities were actively triggered on iOS 11.2.2 and potentially earlier. “Versions prior to iOS 6 might be vulnerable too but we haven’t checked earlier versions. At the time of iOS 6 release, iPhone 5 was in the market,” the researchers concluded.