A zero-day flaw in Apple’s Safari web browser was found by Google researchers after it had been actively exploited by threat actors in campaigns targeting Western European government officials over LinkedIn. The flaw was being used to create malicious links that when visited could collect website-authentication cookies. The Safari WebKit flaw is being tracked as CVE-2021-1879 and affected iOS versions 12.4 through 13.7. Ultimately, protections were turned off which allowed for attempts at collecting authentication cookies from sites that the victim had logged in to on an iPhone using Safari. These sites included Google, Microsoft, LinkedIn, Facebook and Yahoo and if cookies were successfully collected, they’d be sent to the attackers’ server. While a specific group that could be behind the exploit has not been named, some similarities have been noticed that could possibly connect the exploit to the Russian group Nobelium. Some related IOCs can be found below:
At this time, the vulnerabilities have been patched by Apple. iPhone owners should update their software as soon as possible. Some LinkedIn users may still have pending messages that include malicious links. These messages should be reported to the corporate security team for investigation. A prompt response from Apple was key in mitigating this issue before it became a larger scale campaign.