Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device.
In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible.
Exploit delivery via man-in-the-middle (MITM)
The Intellexa exploit chain was delivered via a “man-in-the-middle” (MITM) attack, where an attacker is in between the target and the website they’re trying to reach. If the target is going to a website using ‘http’, then the attacker can intercept the traffic and send fake data back to the target to force them to a different website. Visiting a website using ‘https’ means that the traffic is encrypted, and it is easily verifiable that the received data came from the intended website using their certificate. That is not the case when using ‘http’.
In the case of this campaign, if the target went to any ‘http’ site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me. If the user was the expected targeted user, the site would then redirect the target to the exploit server, sec-flare[.]com. While there’s a spotlight on “0-click” vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls.
iOS Exploit Chain
As soon as the attacker redirected the target to their exploit server, the exploit chain began to execute. For iOS, this chain included three vulnerabilities:
- CVE-2023-41993: Initial remote code execution (RCE) in Safari
- CVE-2023-41991: Certificate validation issue
- CVE-2023-41992: Local privilege escalation (LPE) in the XNU Kernel
The chain then ran a small binary to decide whether or not to install the full Predator implant. However, TAG was unable to capture the full Predator implant.
We plan to publish a technical deep dive on these exploits in line with the Google vulnerability disclosure policy.
Android Exploit Chain
The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.
This bug had already been separately reported to the Chrome Vulnerability Rewards Program by a security researcher and was patched on September 5th. We assess that Intellexa was also previously using this vulnerability as a 0-day.
Chrome's work to protect against MITM
For years, Chrome has worked toward universal HTTPS adoption across the web. Additionally Chrome has an “HTTPS-First Mode” that can reduce the likelihood of exploits being delivered via MITM network injection. "HTTPS-First Mode" will attempt to load all pages over HTTPS, and show a large warning before falling back to sending an HTTP request. This setting is currently on by default for users enrolled in the Advanced Protection Program who are also signed into Chrome. We encourage all users to enable “HTTPS-First Mode” to better protect themselves from MITM attacks.
This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users. TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward.
We would like to acknowledge and thank The Citizen Lab for their collaboration and partnership in the capturing and analysis of these exploits, and Apple for deploying a timely patch for the safety of online users.