Safari Zero-Day Used in Malicious LinkedIn Campaign
According to researchers from Google’s Threat Analysis Group and Project Zero, attackers exploited a Safari vulnerability to target government officials in Western Europe. The vulnerability was leveraged to send malicious links to government officials via LinkedIn. Google’s research team detected and reported the vulnerability, publishing a blog post on Wednesday detailing the zero-day and several others discovered this year. The Safari WebKit flaw, CVE-2021-1879, was discovered on March 19, according to Google, and allowed for the processing of maliciously crafted web content for universal cross-site scripting. The flaw was addressed later in the month by Apple, which released an update to fix the issue.
Before the vulnerability was patched, researchers found that Russian-language threat actors were actively exploiting the zero-day in the wild via LinkedIn messaging. The malicious messages delivered to government officials’ inboxes could collect website authentication cookies, according to Google. The exploit targeted iOS versions 12.4 through 13.7. The exploit would shut down the Same-Origin-Policy protections on compromised devices to collect the cookies. Google stated that the victim would need to be hosting an active session on the websites from Safari in order for the cookies to be exfiltrated successfully.