The Google Project Zero Threat Analysis Group reported a security breach of Apple's iOS operating system that involved five separate exploit chains occurring over at least two years and affecting almost every iOS version from 10 through the latest version of iOS 12. While the number of affected users was not specified, the nature and the pattern of the exploits indicate this was a significant breach.
The exploit consisted of malware that would automatically be downloaded to an iOS device when a user visited a site where the malware resided. The malware could spy and report on user activity as well as capture the user's iCloud Keychain data, where passwords and other sensitive information are stored. Though the malware would automatically be deleted from the system upon reboot, the content of the hacked Keychain data could enable continued misuse of sensitive personal information.
The nature of this “watering hole” attack indicates that the exploit was not necessarily targeted against a specific user. The malicious websites, while not specified in reports, were estimated as being visited by thousands of users per week.
Apple announced that it has fixed this vulnerability in iOS versions 12.1.4 and later. The researchers point out that other similar exploits that have not yet been detected likely remain in operation.
We recommend taking the following actions regarding the iOS exploit:
- Ensure that all iOS devices, and in general, all devices used in the organization, are regularly updated with the latest version. Consider implementing a mandatory and automated update policy if one is not already in place.
- Closely monitor financial accounts, both at a corporate and an individual level, for unusual activity.
- Consider evaluating the protection of data stored on company resources via penetration testing and other preventive measures. Respond with corrective actions as needed.
- Recognize that though a software update for the iOS exploit has been issued, other similar “watering hole” exploits are likely in existence. Notify team members of the need to use caution and vigilance with their mobile devices and refrain from storing and transmitting sensitive data with their devices as much as possible.
How We Help
We offer the following solutions that can help your firm protect its sensitive information from potential exploits and other cyber incidents:
- Risk assessments and testing services
- Phishing testing and cyber awareness
- Penetration testing and vulnerability assessments
- Policies, procedures, and governance
- Cyber incident response planning
- Threat intelligence
- Mock regulatory cyber exams
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.