Podcasts
Research Saturday
Ep 423
Research Saturday 5.2.26
Ep 423 | 5.2.26

Double-edged threat.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Justin Albrecht: So basically, Google released a report on something called Caruna, and Caruna is an iOS exploit chain, actually it's multiple iOS exploit chains, consisting of 23 different vulnerabilities that were used in watering-hole attacks to target various entities.

Dave Bittner: That's Justin Albrecht, Principal Researcher at Lookout. The research we're discussing today is titled "Attackers Wielding DarkSword Threaten iOS Users." [ Music ]

Justin Albrecht: Some of those attacks were conducted by a Russian threat actor. This Russian threat actor is called UNC6353. When Google investigated this, they ended up putting out their blog, I think it was about a month ago now, on their findings. Of course, you know, this is targeting iOS, it's targeting mobile, so we're definitely interested in that, and I wanted to go and look at it to see if I could figure out who UNC6353 is and to see if we could find any of the exploits, find anything else interesting about it. It was really some standard threat hunting. As I dug into it, essentially, I found, using a couple techniques, I found another exploit delivery server very similar to the one that UNC6353 used that was referenced in Google's blog. When I was investigating that, I noticed that they had links between this exploit server and a couple compromised Ukrainian websites. These are legitimate websites, you know. In fact, Caruna, I think, was linked to about 50 websites that I could find that had been compromised. Essentially, what they do is they put an iFrame, they compromise the website, put an iFrame in the website, so that when an iOS user visits the website and they have the appropriate OS version, it automatically hacks their phone. It basically functions like a zero-click attack. When I was looking into this, I thought that I had found another delivery server for Caruna, but when I started to look at the code that was on these compromised websites, I noticed that the delivery, in this case it was JavaScript, had specific mentions in the code that it was targeting 18.4 and 18.6 versions of iOS. These versions weren't targeted in Caruna. From there, basically, I knew that I had something new, novel, so I started to dig into it and that's how we found DarkSword.

Dave Bittner: Well, I mean, let's dig into some of the details here. Once DarkSword lands on a device, what level of access does it have?

Justin Albrecht: Essentially, all access. It gains root-level access to the iOS device, similar to a jailbreak, really, where it breaks past the sandbox for all applications, and from there, it's able to pull all relevant data off of the device for both espionage and also for financial gain. Basically, you know, it can pull your contacts. It pulls your browser history, your photos, your messages. It pulls the secure databases for some encrypted chats like Telegram, for example, WhatsApp. It pulls cryptocurrency applications, the profiles associated with those, seed traces, and it does all this within a couple minutes. Basically, the version of DarkSword that we were looking at infects the device with no clicks. It does everything it needs to do on the device to break through all the barriers, and then it extracts all the data probably within five minutes maximum. Then it deletes itself from the device.

Dave Bittner: Wow, kind of a worst-case scenario here, isn't it?

Justin Albrecht: Yeah, scary stuff.

Dave Bittner: Yeah, well, help me understand the zero-click aspect of this. I mean, what's going on in iOS that this sort of thing is possible?

Justin Albrecht: So, you know, zero-click attacks aren't anything new. DarkSword is technically a one-click attack because it does require some kind of interaction with a domain, right? Typically, this is all delivered in JavaScript, which is really unusual for this type of malware, and they basically put the JavaScript on these websites, right, but you could also send it in a phishing link or something similar. It's technically a one-click. However, if it's on a website that you're already going to visit, then, you know, do you consider that a one-click or a zero-click? I think, in that case, it's kind of a zero-click because you're already going there doing your normal day-to-day routine. Now, what's happening on the device here is most of these exploit chains, they first target the browser. You might have heard, like, of, you know, Predator, Pegasus, the zero-click attacks that occurred with those. A lot of those were delivered through, like, iMessage or WhatsApp, and they were using some kind of obscure bug that was in one of those platforms in order to get access to the device in a zero-click attack. In this case, this is similar to a lot of other attacks that we see, where, first, they attack the browser. Basically, they have to get past what's called WebKit, which is kind of like iOS's version of serving up browser material, you know? Basically, all browsers on iOS have to use WebKit. Now, WebKit's been very hardened by Apple in the past few years because it's been so targeted. In this case, the exploit first targets WebKit, but then it almost immediately shifts to something called WebGPU, which is a processor, essentially, that's processing all the data that's on the browser, what the browser's looking at. That hasn't been hardened as much, so that's where they do the sandbox escape. That's basically how they bypass the restrictions that are around the application or, in this case, the exploit.

Dave Bittner: Now, you mentioned that they operate quickly and they don't stay on the device very long. This kind of grab-and-go approach seems significant to me and perhaps a little unusual?

Justin Albrecht: It's unusual. It's not what we usually see for espionage, I'll say, or for top-tier iOS malware. There is some iOS malware that doesn't leave an implant in any kind of storage. It might run entirely in memory. We've seen that before with different iOS malware, but typically, it does stay on device. It might not survive a reboot, but it does stay on device. In this case, to see the smash-grab approach is very unusual for iOS malware. In fact, I think it's the first time that I've seen it. I will say there were recorded three different campaigns using DarkSword. The one that we identified was this one by the Russian threat actors, but there were two other ones, and in those two other attacks, they did leave behind implants. In those cases, they were looking at doing, kind of, prolonged espionage against targets.

Dave Bittner: Now, in the case where they don't leave anything behind, is there any trace to be found? If someone suspects that their device may have been compromised, is there any way to determine that?

Justin Albrecht: Yeah, there are some traces that are left behind. They do a good job of cleaning up a lot of the artifacts that would typically be left behind, and the way that the malware is designed, it kind of piggybacks off of legitimate processes that are within iOS, which makes it very difficult to track and to find. Now, as a user, without any third-party tools, this would be completely invisible to you, and there'd really be no good way to find it. Now, there are really mobile EDR tools that will detect some of this, and then now Apple has released patches that will patch pretty much all susceptible devices to DarkSword. It will patch those specific vulnerabilities that DarkSword was taking advantage of, but those victims, basically, have to update their devices to the latest OS version or to the security update for the version they're running, like iOS 18, for example. They'd have to update to iOS 18.7.7.

Dave Bittner: Well, and after your disclosure, Apple responded fairly quickly, right?

Justin Albrecht: Yeah, yeah, they did. You know, it's a it's an interesting move. I think it's a very solid move on their part. I also want to point out, like, how unusual these attacks were because they came back-to-back, right? Like, DarkSword and Caruna happened within the span of a month, at least the reporting on them. After that, we saw some kind of unprecedented activity from Apple. They backported multiple security patches to cover Caruna and DarkSword for older OSs, and typically, they'd want those users to update to the latest OS if they could. They warned the users who had susceptible versions of the OS, like they sent alerts to their device that they could be compromised and that they should update. They also put out specific guidance on web-based attacks, and then when they put out these notifications that they were backporting the updates, they also mentioned DarkSword. Typically, Apple doesn't talk about malware at all, right? It's kind of a -- it's a bit of a dirty word there. So these were really unprecedented moves, and I think it speaks to kind of the scale of the threat this time, you know, that we had these two different exploit kits, very advanced, that ended up in the wrong hands. In one case, well, in both cases, ended up completely public, really where -- and especially with DarkSword, it's so easy to reuse. It has all of the instructions within the code itself. I think it was a situation that they really had to do something about and they did.

Dave Bittner: And you're satisfied that the solutions that they've put out there are up to the task?

Justin Albrecht: For the current threat, yes. I think that's the real, I guess, linchpin in this whole thing is, you know, we focus on the specific exploits, the specific vulnerabilities, the specific malware, but for me, there's a very, very much a larger story behind all of this, which is how did these exploits that are developed by top-tier exploit development shops -- in one case in the US for Caruna was most likely developed by L3Harris. For DarkSword, it's unknown who developed them, but they do look like they're probably Western-developed exploits. These exploits made a journey, essentially, across the world to a shady exploit broker who sold them on to criminals and to spy groups who are opposed to the US where the exploits probably came from. That really speaks to evidence of a secondhand exploit market for mobile devices at a minimum and probably for more exploits as well. If you ever heard of Operation Zero, for example, the Russian exploit broker, you know, that's likely how UNC6353 got the Caruna exploits, based on a lot of public reporting that's gone into it. I wouldn't be surprised if that's also how they got the DarkSword exploits, so this market's thriving, and what's the lesson behind that? The lesson is that, you know, there's proliferation of this tooling that's developed in the West. It's a very high-end, top-tier exploits that cost millions of dollars to develop and are being sold, probably, you know, for the second time, maybe even the third time to different brokers, so it's kind of an unregulated market and these things are getting up in the wrong hands. For me, that's the bigger story because just because they patched a day, you can't patch a user. You can't patch, you know, a zero day before it's discovered, and it's likely that there are more out there. [ Music ]

Dave Bittner: We'll be right back. [ Music ] So just so I'm clear here, like, is the notion that, as you say, these are developed for high-level organizations, high-level customers, presumably for targeted espionage, and so your average user probably wouldn't be targeted by this, wouldn't know that something like this exists. Because it's so targeted, it could fly under the radar for a long time until it reaches that secondary market where it gets broader visibility?

Justin Albrecht: Exactly, and also, it's targeted in a different way at that point. Like, if we consider -- let's take a case like Pegasus, right?

Dave Bittner: Yeah.

Justin Albrecht: Pegasus, developed by an NSO group, sold to governments, presumably law enforcement agencies and intelligence agencies, who then either misuse it or use it for a quote-unquote "appropriate national security purposes." That's what these tools are designed for, really, in the end, right? They're designed to do law enforcement. They're designed to help track terrorists. They're abused in many cases to track civil society and to track innocent victims, but that depends, in many cases, on what the government's doing with it. Now, those have regulations around them at the end of the day. Like, they have dual-use customs rules that are around the sale of such tooling. You know, there's the European Commission. I tries to put the kybosh on them being able to sell certain parts of the tooling within the EU. They're trying to regulate it. There's sanctions. Like, there's a lot of stuff going on with that market. For entities that exist outside of that rule of law, for example, like, how concerned is Russia with international law?

Dave Bittner: Right.

Justin Albrecht: You know, or maybe China in some cases, right? Like, there's a whole other market here that hasn't really been well explored. These commercial surveillance vendors of exploit brokers, and the people who are doing exploit development, you know, a lot of them, maybe they don't care how their tooling is used at the end of the day. Maybe they're just interested in making a couple extra million. It's understandable, right, so these exploits are basically being sold into a completely unregulated territory where the, I guess, the biggest incentive is money, and that includes for the exploit broker themselves. Like, if you look at Caruna and you look at DarkSword, both of them were edited to include financial theft, to include the targeting of cryptocurrency. This isn't something that you'd see a government developing, really, unless it's North Korea.

Dave Bittner: Right.

Justin Albrecht: In that case, like, we know that something was added to this tooling. It was probably added to increase the market so that more people would be willing to buy the tooling and use it. Like, it speaks to a completely different use case, and it makes the, I guess, the profile of the victim, it greatly expands it beyond, you know, you're a civil society person protesting against a corrupt government, or you're a terrorist, or you're a criminal, you know? It really expands who the potential victims are.

Dave Bittner: Yeah. Well, you mentioned that this activity is linked to UNC6353. What can you tell us about them? What do we know?

Justin Albrecht: Not much. You know, we've got some ideas of their targeting. We've got some ideas of their level of technical expertise, just based on what we've been able to observe. They're not tied to any known threat group that we know of, and as far as I know, Google also believes the same, and I verify also believes the same, since we all worked on this research together. You know, we haven't been able to tie it to an APT29 or a Turla, let's say, but there are interesting things around this story. Like, one, all of the observed attacks by this group were in Ukraine. They were targeting cryptocurrency, as well as intelligence gathering. Now, we have seen in the past some targeting of cryptocurrency on mobile by a Russian APT. In that case, it was the Sandworm APT. They used a tool called Infamous Chisel, which targeted Android, and it was specifically targeting Ukrainians. Besides that, we haven't really seen anything. However, Russia has a long history now of using proxy criminal elements to conduct campaigns, kind of like a privateer model, a modern-day privateer model. They've done this with multiple ransomware groups who have targeted entities in Ukraine. They've conducted financial theft. They've performed ransomware attacks, swiper attacks, etc. One interesting thing is, like I mentioned before, these exploits probably came from Operation Zero. Operation Zero was recently sanctioned by the US government, and in the sanctions, they mentioned two of the associates of the CEO of Operation Zero. Those two associates are part of the Trickbot ransomware group. So, essentially, you have a Russian criminal entity, cybercrime entity, that has direct connections to an exploit broker that has pretty much been proven to have resold some of these exploits to UNC6353, at least, possibly to this Chinese group, UNC6691, as well. There are a lot of connections in that market. There's a lot of coincidences, and I do think that it wouldn't be -- you know, we have no guarantee of this, of who they are, but I don't think it would be outside of the norm that they could potentially be one of these cybercrime proxy groups. Like, they don't necessarily have to be a Russian entity. They could be, because the tooling conducts financial theft and it conducts espionage, but there were indicators, also, in the code itself, in how easy it was defined, in the fact that none of it was obfuscated. Some of it seemed like boilerplate demo, like server infrastructure that was probably just set up for them. There are signs that, perhaps, they aren't as technically capable as some of these top-tier Russian APTs, which makes me doubt that it's one of them, but we have no confirmation.

Dave Bittner: Yeah, that's interesting. What are your recommendations, then? I mean, how the defenders in our audience, what should they do with this information, with these revelations?

Justin Albrecht: I really think that it drives home the idea that, you know, a mobile endpoint is an endpoint, and it seems silly to say, but typically, we don't provide the same kind of security and visibility into mobile endpoints, right? These stories about, like, advanced iOS malware, the Predators and Pegasuses of the world, there's always been this kind of trope that, you know, you're not going to be targeted by it. It's going to be a reporter. It's going to be an activist. You know, the categories that I mentioned earlier, an opposition politician. One, we always knew that wasn't exactly true. Like, we'd seen in some organizations, individuals get targeted by this malware. In the past, this is before DarkSword and before Caruna. But now, for example, DarkSword was leaked on GitHub. Like, anyone can take it and use it, so for an organization, like, beyond, of course, updating your devices, beyond using lockdown mode, there's other threats. Like, we see that iOS devices are twice as likely to fall for a phishing link than an Android user, for example, in our data. There was a report that just went out recently about SIO S.p.A. It's an Italian CSV, commercial surveillance vendor, that used WhatsApp clones, basically trojanized WhatsApp versions, that they delivered as an application to iOS devices. They tricked users into downloading them. You have social engineering that occurs, vishing, quishing, etc., that these people are still susceptible to. The big question is, like, if you get infected by one of these as an organization, how do you know? Like, there's no visibility. You're reliant on the protections that the OS provides you. Typically, an organization has at least an MDM, but an MDM is management. It's not security, so for me, like, the big takeaway is that these devices need visibility. Signals need to be fed into the SOC. Security needs to be part of it, not just the mobility team, because a lot of times mobility is the only organization that's handling mobile devices, or the only team that's handling mobile devices in an organization, and for me, that's wrong. Like, for me, security needs to be involved. They need to be able to see these signals, so you need to deploy solutions that enable organizations to be able to see that data, to be able to see what kind of threats are being targeted at the device.

Dave Bittner: How readily available are those kinds of solutions?

Justin Albrecht: Oh, they're available for sure if you look up "mobile EDR," if you look up "mobile threat defense," it's another category that it's often called. We have a solution at Lookout, of course. That's our bread and butter, really, beyond our threat intelligence, but there are other -- our competitors also have solutions. Even some of the big players in the game of endpoint defense have some solutions that will at least provide some visibility. In many cases, only for Android or better on Android, but in some cases, like with ours and with some others, you have iOS and Android capabilities that will at least provide visibility and will provide some protections against even the minimal threats.

Dave Bittner: Help me understand an element of this. When Apple comes at a problem like this, when they deliver their patches, and forgive me if this is an unfair question, but are they generally shutting down this specific exploit or is it likely that they're able to shut off more of a category of things? Do you see where I'm going?

Justin Albrecht: Vulnerabilities can have multiple exploits. You can have three different people writing an exploit for the same vulnerability, and they might come at it from different ways, so in a way, it does shut off categories, but let's call them very small categories. They won't be able to shut down all threats to WebKit, like I mentioned earlier. They can harden it a lot. They can find new vulnerabilities and continue to patch it, but at the end of the day, you have a lot of exploit researchers who are there trying to find new ways to take advantage of it. They don't really cut off an entire category, but maybe subcategories. Maybe by fixing -- like being able to patch one of these vulnerabilities, they take care of a bundle of exploits, but not all of them that are targeting that specific portion of technology is probably the way I'd put it.

Dave Bittner: I see. All right. Well, Justin, I think I have everything I need for our story here. Is there anything I missed, anything I haven't asked you that you think it's important to share?

Justin Albrecht: You know, just going back to what I was saying with that secondhand exploit market. For me, that's the thing that I would love that people take away from this is the fact that these things make it into the wild and it should be part of a security posture. People should be thinking about what targets their mobile devices and understand that these are no longer tools that are just in the hands of a few government entities that are interested in conducting espionage, right? They can be used for a lot of other purposes now, and that environment exists, pipeline exists; it will be reused, so just that takeaway. [ Music ]

Dave Bittner: Our thanks to Justin Albrecht from Lookout for joining us. The research is titled "Attackers Wielding Dark Sword Threaten iOS Users." We'll have a link in the show notes. That's "Research Saturday" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tré Hester. Our Executive Producer is Jennifer Eiban. Peter Kilpe is our Publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.