A critical bug that has lurked in iPhones and iPads for eight years appears to be under active attack by sophisticated hackers to hack the devices of high-profile targets, a security firm reported on Wednesday.
The exploit is triggered by sending booby-trapped emails that, in some cases, require no interaction at all and, in other cases, require only that a user open the message, researchers from ZecOps said in a post. The malicious emails allow attackers to run code in the context of the default mail apps, which make it possible to read, modify, or delete messages. The researchers suspect the attackers are combining the zero-day with a separate exploit that gives full control over the device. The vulnerability dates back to iOS 6 released in 2012. Attackers have been exploiting the bug since 2018 and possibly earlier.
“With very limited data we were able to see that at least six organizations were impacted by this vulnerability— and the full scope of abuse of this vulnerability is enormous,” ZecOps researchers wrote. “We are confident that a patch must be provided for such issues with public triggers ASAP.”
Targets from the six organizations include:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- Managed security services providers in Saudi Arabia and Israel
- A journalist in Europe
- Suspected: An executive from a Swiss enterprise
Zerodays, or vulnerabilities that are known to attackers but not the manufacturer or the general public, are rarely exploited in the wild against against users of iPhones and iPads. Some of the only known incidents a 2016 attack that installed spyware on the phone of a dissident in the United Arab Emirates, a WhatsApp exploit in May of last year that was transmitted with a simple phone call, and attacks that Google disclosed last August.
Apple has currently patched the flaw in the beta for iOS 13.4.5. At the time this post went live, a fix in the general release had not yet been released.
Malicious mails that trigger the flaw work by consuming device memory and then exploiting a heap overflow, which is a type of buffer overflow that exploits an allocation flaw in memory reserved for dynamic operations. By filling the heap with junk data, the exploit is able to inject malicious code that then gets executed. The code triggers strings that include 4141…41, which are commonly used by exploit developers. The researchers believe the exploit then deletes the mail.
A protection known as address space layout randomization prevents attackers from knowing the memory location of this code and thus executing in a way that takes control of the device. As a result, the device or application merely crashes. To overcome this security measure, attackers must exploit a separate bug that reveals the hidden memory location.
Little or no sign of attack
The malicious mails need not be prohibitively large. Normal-size emails can consume enough RAM using rich text format documents, multi-part content, or other methods. Other than a temporary device slowdown, targets running iOS 13 aren’t likely to notice any signs that they’re under attack. In the event that the exploit fails on a device running iOS 12, meanwhile, the device will show a message that says “This message has no content.”
ZecOps said the attacks are narrowly targeted but provided only limited clues about the hackers carrying them out or targets who were on the receiving end.
“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications (hence the 4141..41 strings),” ZecOps researchers wrote. “While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”
The most visible third-party organization selling advanced smartphone exploits is Israel-based NSO Group, whose iOS and Android exploits over the past year have been found being used against activists, Facebook users, and undisclosed targets. NSO Group has come under sharp criticism for selling its wares in countries with poor human-rights records. In recent months, the company has vowed to serve only organizations with better track records.
It’s generally against security community norms to disclose vulnerabilities without giving manufacturers time to release security patches. ZecOps said it released its research ahead of a general release fix because the zeroday alone isn’t enough to infect phones, the bugs had already been mentioned in the beta release, and the urgency created by the six organizations the firm believes are under active attack
To prevent attacks until Apple releases a general-availability patch, users can either install the beta 13.4.5 or use an alternate email app such as Gmail or Outlook. Apple representatives didn’t respond to an email seeking comment for this post.
Britain in talks with 6 firms about building gigafactories for EV batteries
Britain is in talks with six companies about building gigafactories to produce batteries for electric vehicles (EV), the Financial Times reported on Wednesday, citing people briefed on the discussions.
Car makers Ford Motor Co and Nissan Motor Co Ltd, conglomerates LG Corp and Samsung, and start-ups Britishvolt and InoBat Auto are in talks with the British government or local authorities about locations for potential factories and financial support, the report added .
(Reporting by Kanishka Singh in Bengaluru; Editing by Himani Sarkar)
EBay to sell South Korean unit for about $3.6 billion to Shinsegae, Naver
EBay Korea is the country’s third-largest e-commerce firm with market share of about 12.8% in 2020, according to Euromonitor. It operates the platforms Gmarket, Auction and G9.
Shinsegae, Naver and eBay Korea declined to comment.
Lotte Shopping had also been in the running, the Korea Economic Daily and other newspapers said, citing unnamed investment banking sources.
South Korea represents the world’s fourth largest e-commerce market. Driven by the coronavirus pandemic, e-commerce has soared to account for 35.8% of the retail market in 2020 compared with 28.6% in 2019, according to Euromonitor data.
Shinsegae and Naver formed a retail and e-commerce partnership in March by taking stakes worth 250 billion won in each other’s affiliates.
($1 = 1,117.7000 won)
(Reporting by Joyce Lee; Editing by Edwina Gibbs)
Canada launches long-awaited auction of 5G spectrum
The 3,500 MHz is a spectrum companies need to provide 5G, which requires more bandwidth to expand internet capabilities.The auction, initially scheduled for June 2020, is expected to take several weeks with Canadian government selling off 1,504 licenses in 172 service areas.
Smaller operators are going into the auction complaining that recent regulatory rulings have further tilted the scales in the favour of the country’s three biggest telecoms companies – BCE, Telus and Rogers Communications Inc – which together control around 90% of the market as a share of revenue.
Canadian mobile and internet consumers, meanwhile, have complained for years that their bills are among the world’s steepest. Prime Minister Justin Trudeau’s Liberal government has threatened to take action if the providers did not cut bills by 25%.
The last auction of the 600 MHz spectrum raised C$3.5 billion ($2.87 billion) for the government.
The companies have defended themselves, saying the prices they charge are falling.
Some 23 bidders including regional players such as Cogeco and Quebec’s Videotron are participating in the process. Shaw Communications did not apply to participate due to a $16 billion takeover bid from Rogers. Lawmakers and analysts have warned that market concentration will intensify if that acquisition proceeds.
In May, after Canada‘s telecoms regulator issued a ruling largely in favour of the big three on pricing for smaller companies’ access to broadband networks, internet service provider TekSavvy Inc withdrew from the auction, citing the decision.
Some experts say the government has been trying to level the playing field with its decision to set aside a proportion of spectrum in certain areas for smaller companies.
Gregory Taylor, a spectrum expert and associate professor at the University of Calgary, said he was pleased the government was auctioning off smaller geographic areas of coverage.
In previous auctions where the license covered whole provinces, “small providers could not participate because they could not hope to cover the range that was required in the license,” Taylor said.
Smaller geographic areas mean they have a better chance of fulfilling the requirements for the license, such as providing service to 90% of the population within five years of the issuance date.
The auction has no scheduled end date, although the federal ministry in charge of the spectrum auction has said winners would be announced within five days of bidding completion.
($1 = 1.2181 Canadian dollars)
(Reporting by Moira Warburton in Vancouver; Editing by David Gregorio)