WebKit

By CYFIRMA Research

First Published on 6 August 2021

1. EXECUTIVE SUMMARY

Russian threat actors are suspected to have leveraged and believed to have exploited a zero-day vulnerability CVE-2021-1879 in the wild leveraging LinkedIn messaging and sending spear-phishing emails with malicious links.

Based on our research and analysis, we suspect state-sponsored Russian threat actor – Cozy Bear to be carrying out these activities targeting multiple industries and geographies. These activities are suspected to be part of the data exfiltration campaign – crop up.

The primary motive of this campaign appears to be:

• Exfiltration of sensitive information, intellectual property, personal, customer, and financial information.

CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.

CYFIRMA Risk Rating for this Research is Critical.

NOTE: The vulnerability has been reported as situational awareness intelligence. CYFIRMA would like to highlight the potential risk and indicators observed which may be leveraged by nation-state threat actors in exploiting the vulnerability to gain a foothold and exfiltrate sensitive information from the target organizations.

2. VULNERABILIY AT A GLANCE

Universal cross-site scripting Vulnerability in Apple watchOS, iOS and iPadOS –
WebKit (Safari)

CVE-2021-1879

CVSS Score: 6.1

Exploit Details: This zero-day vulnerability is being exploited in the wild and is suspected to be leveraged by Russian threat actors. The exploit details can be found in the link.

Description:
The products are vulnerable to universal cross-site scripting, caused by improper validation of user-supplied input by the WebKit component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Impact
Successful exploitation of the vulnerability could allow an attacker to carry out cross-site scripting attacks may allow a remote attacker to steal potentially sensitive information, change the appearance of the web page, perform phishing and drive-by-download attacks.

Insights
The vulnerability exists due to insufficient sanitization of user-supplied data within the WebKit engine. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user’s browser in the context of the arbitrary website.

The CWE is CWE-79, and the vulnerability has an impact on confidentiality and integrity.

Affected Version
Please refer to the following links for the affected versions:

• https://support.apple.com/en-us/HT212256
• https://support.apple.com/en-us/HT212257
• https://support.apple.com/en-us/HT212258

Mitigation
Please refer to the following links for the mitigations:

• https://support.apple.com/en-us/HT212256
• https://support.apple.com/en-us/HT212257
• https://support.apple.com/en-us/HT212258

Security Indicators

• Is there already an exploit tool to attack this vulnerability? Yes
• Has this vulnerability already been used in an attack? Yes
• Are hackers discussing about this vulnerability in the Deep/Dark Web? Yes
• What is the attack complexity level? Low

To download the full report, write to [email protected]