LinkedIn hacking campaign illustrates rise in zero-day exploits

LinkedIn was used as a vector for Russia-based actors to target European government officials as part of a hacking campaign.

The new research from Google’s Threat Analysis Group (TAG) found that hackers sent messages over the popular professional social network containing malicious links to users affiliated with European governments. These were designed to take advantage of a previously unknown exploit in iOS.

The zero-day vulnerability, dubbed CVE-2021-1879, affects the WebKit of the popular Safari browser. This is the default browser used on Apple devices, including iPhones and iPads.

Anyone clicking the link from an iOS device would be redirected to an attacker-controlled domain that served the next stage payloads.

Users would then have Cobalt Strike, a penetration testing product, downloaded onto their devices. This in turn is generally used to download malware, with Cobalt Strike typically adding a program called Beacon. This allows the attack to log keystrokes, execute commands on the victim’s device, and transfer files, among others.

After validating the device, Cobalt Strike would download a final payload designed specifically to take advantage of CVE-2021-1879.

“This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP,” TAG said in a statement.

“The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7.”

LinkedIn’s parent company blamed the Russian Government-linked group Nobelium (or APT29 or Cozy Bear) for a similar attack that targeted CVE-2021-1879.

After Google reported the exploit to Apple in March, the exploit was patched in a subsequent update. At present, there are no signs that the attack was successful.


In addition, TAG warned that the LinkedIn campaign is emblematic of a rise in hackers targeting zero-day exploits.

The company warned that despite being only halfway into 2021, 33 zero-day exploits used in attacks have been publicly disclosed so far. This is eleven more than the total number from 2020.

“While there is an increase in the number of zero-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend,” TAG said.

However, the group also noted the possibility that attackers are using more zero-day exploits. Two massive cybersecurity incidents from this year, the SolarWinds and Microsoft Exchange attack, were down to zero-day vulnerabilities.

TAG warned that as the use of third-party security technologies and features develops and matures, the supply chain creates additional zero-day exploits. Furthermore, the popularity of mobile platforms increases the number of products that actors want capabilities for.

The maturity of security services and products has also limited the ability of cyberattackers to use less sophisticated means, such as convincing people to install malware. This is forcing hackers to use zero-day exploits to accomplish their goals.

In addition, as cybersecurity matures, so does the cybercrime industry. This means there are more third-party hackers selling access to zero-day exploits.

While this shows that perpetrating cyberattacks is becoming more difficult, it also means that combating the use of zero-day exploits is becoming more difficult.

“Zero-day capabilities used to be only the tools of select nation states who had the technical expertise to find zero-day vulnerabilities, develop them into exploits, and then strategically operationalise their use,” TAG added.

fbq(‘init’, ‘485941541567778’);
fbq(‘track’, ‘PageView’);

(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); = id;
js.src = “//”;
fjs.parentNode.insertBefore(js, fjs);
}(document, ‘script’, ‘facebook-jssdk’));

Source link

What do you think?


Leave a Reply

Your email address will not be published.

      The Australian Olympians with the biggest social media profiles

      Footage of Roberto Mancini’s classy Italy team talk ahead of Euro 2020 final against England goes viral