The underlying bug is an optimization downside occurring throughout FTL JIT compilation. Each exploits additionally share the identical exploitation framework, which give attackers with a set of utilities to execute arbitrary code (e.g. customized MachO loader and parser, PAC and JIT cage bypasses).
There are a number of minimal variations between the 2 exploits, which embody:
- Failure mode. If one thing goes flawed throughout exploitation, the exploit from the watering gap will ship again the knowledge to the C2 and attempt to crash the browser with an out-of-memory error. If the Intellexa exploit fails, it doesn’t ship info again and can simply redirect the person to a authentic web site.
- Further information assortment from goal gadget. The exploit from the watering gap has an extra perform named dacsiloscope utilizing the learn/write primitives to gather much more details about the focused gadget. This info is later used to resolve whether or not or not the cookie stealer payload must be executed. For instance, if the gadget doesn’t have PAC — which may be the case for an iPhone 8 working iOS 16.X — the cookie stealer payload will merely not execute.
Cookie stealer
The iOS exploit loaded the identical cookie stealer framework that TAG noticed in March 2021 when a Russian government-backed attacker exploited CVE-2021-1879 to amass authentication cookies from outstanding web sites similar to LinkedIn, Gmail and Fb. In that marketing campaign, attackers used LinkedIn Messaging to focus on authorities officers from western European international locations by sending them malicious hyperlinks.
Within the watering gap campaigns, the circulation on iOS variations older than 16.6 is similar as described within the Root Trigger Evaluation for CVE-2021-1879. For every focused web site:
- Create a websocket w related to an attacker-controlled IP deal with.
- Set m_universalAccess to 1 contained in the SecurityOrigin class by traversing a set of pointers.
- Create a brand new URL object u pointing to the focused area.
- Overwrite all Doc URLS of the websocket w with those from the u URL.
- Overwrite m_url subject of the websocket w with the u URL.
- Set off a ship on the websocket.
- On the finish of the websocket, the attacker receives requests as they might be delivered to the focused web sites u together with the authentication cookies for the focused web sites.
- Restore m_universalAccess again to its authentic state.
The cookie stealer module is focusing on the next hard-coded set of internet sites:
[“webmail.mfa.gov.mn/owa/auth”, “accounts.google.com”, “login.microsoftonline.com”, “mail.google.com/mail/mu/0”, “www.linkedin.com”, “linkedin.com”, “www.office.com”, “login.live.com”, “outlook.live.com”, “login.yahoo.com”, “mail.yahoo.com”, “facebook.com”, “github.com”, “icloud.com”]
On more moderen variations of iOS, the payload is looking WebCore::NetworkStorageSession::getAllCookies() to gather all cookies earlier than exfiltrating them again to the C2.
Google Chrome marketing campaign
On the finish of July 2024, a brand new watering gap appeared on the mfa.gov[.]mn web site the place track-adv[.]com was re-used to ship a Google Chrome exploit chain to Android customers. From a high-level overview, the assault and finish purpose are basically the identical because the iOS one — utilizing n-day vulnerabilities as a way to steal credential cookies — with some variations on the technical aspect. On this case, the assault required an extra sandbox escape vulnerability to interrupt out of Chrome web site isolation.
- As an alternative of a easy iframe immediately added into the HTML, the attackers at the moment are utilizing a bit of obfuscated javascript to inject the malicious iframe pointing to https://track-adv[.]com/analytics.php?personalization_id=<random quantity>.
- Earlier than sending any levels, crypto keys are generated and exchanged utilizing correct ECDH key trade. Earlier campaigns acquired a static decryption key from the C2.
- In each campaigns the assault makes use of indexedDB to retailer standing info on the shopper aspect. Within the iOS exploit the database was named minus and within the Chrome exploit the database was named tracker.
- A novel identifier utilizing the identical format (e.g., 2msa5mmjhqxpdsyb5vlcnd2t) was generated and handed as tt= parameter throughout all levels.