State-sponsored hackers and commercial surveillance vendors consistently reuse identical vulnerabilities targeting iOS and Google Chrome to steal authentication cookies through watering hole campaigns. They rely on a shared exploitation framework for arbitrary code execution, with the iOS variant adding extra data collection and the Chrome variant requiring a sandbox escape to break out of site isolation.
Keypoints
- The underlying bug is an optimization problem during FTL JIT compilation.
- Both exploits share a common exploitation framework for executing arbitrary code.
- The iOS exploit has a failure mode that sends information back to the C2 server.
- The watering hole exploit collects additional data from the target device (dacsiloscope) to inform decisions.
- The cookie stealer targets a hard-coded list of websites for authentication cookies.
- The Google Chrome campaign uses obfuscated JavaScript to inject a malicious iframe and relies on a sandbox escape vulnerability.
- Both campaigns utilize indexedDB for storing client-side status information (minus vs. tracker).
MITRE Techniques
- [T1203] Exploitation for Client Execution – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1213] Data from Information Repositories – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1102] Web Service – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
Indicators of Compromise
- [Domains] Cookie stealer targets a hard-coded set of websites – accounts.google.com, linkedin.com, and 12 more domains (e.g., webmail.mfa.gov.mn, login.microsoftonline.com, mail.google.com, www.linkedin.com, www.office.com, login.live.com, outlook.live.com, login.yahoo.com, mail.yahoo.com, facebook.com, github.com, icloud.com)