Dave Bittner

You're listening to the Cyberwire Network, powered by N2K.

Host/Interviewer

And now a word from our sponsor, the center for Cyber Health and Hazard Strategies, also known as chhs. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland, Carey School of Law. This part time, two year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a J.D. at law, Umarland. Eduardo. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Justin Albrecht

So basically Google released a report on something called Karuna, and Karuna is an iOS exploit chain. Actually it's multiple iOS exploit chains consisting of 23 different vulnerabilities that were used in watering hole attacks to target various entities.

Host/Interviewer

That's Justin Albrecht, principal researcher at Lookout. The research we're discussing today is titled Attackers wielding Dark Sword threaten iOS users.

Justin Albrecht

And some of those attacks were conducted

Co-analyst/Researcher

by a Russian threat actor.

Justin Albrecht

This Russian threat actor is called UNC6353. So when Google investigated this, they ended up putting out their blog, I think it was about a month ago now, on their findings. And of course, you know, this is targeting iOS, it's targeting mobile, so, so we're definitely interested in that. And I wanted to go and look at it to see if I could figure out who UNC6353 is and to see if we could find any of the exploits, find anything else interesting about it. It was really some standard threat hunting. But as I dug into it, essentially I found, using a couple techniques, I found another exploit, delivery server, very similar to the one that UNC6353 used that was referenced in Google's blog. And when I was investigating that, I noticed that they had links between this exploit server and a couple compromised Ukrainian websites. These are legitimate websites, you know. In fact, Karuna I think was linked to about 50 websites that I could find that had been compromised. And essentially what they do is they, they put a, an iframe, they compromise the website, put an iframe in the website so that when an iOS user visits the website and they have the appropriate OS version, it automatically hacks their phone. It basically functions like A zero click attack. So when I was looking into this, I thought that I had found another delivery server for Karuna. But when I started to look at the code that was on these compromised websites, I noticed that the delivery in this case, it was JavaScript, had specific mentions in the code that it was targeting 18.4 and 18.6 versions of iOS, and these versions weren't targeted in Karuna. So from there, basically I knew that I had something new, novel, so I started to dig into it and that's how we found Dark Sword.

Host/Interviewer

Hmm. Well, I mean, let's dig into some of the details here. Once Dark Sword lands on a device, what level of access does it have?

Justin Albrecht

Essentially all access. It becomes, it gains root level access to, to the iOS device, similar to a jailbreak really, where it breaks past the sandbox for all applications and from there it's able to pull all relevant data off of the device for both espionage and also for financial gains. So basically it can pull your contacts, it pulls your browser history, your photos, your messages, it pulls the secure databases for some encrypted chats, like Telegram, for example, WhatsApp, it pulls cryptocurrency applications, the profiles associated with those seed phrases, and it does all this within a couple minutes. Basically, the version of Darkster that we were looking at infects the device with no clicks. It does everything it needs to do on the device to break through all the barriers and then it extracts all the data, probably within five minutes maximum, and then it deletes itself from the device. Wow.

Host/Interviewer

Kind of a worst case scenario here, isn't it?

Justin Albrecht

Yeah, yeah, scary stuff.

Host/Interviewer

Yeah. Well, help me understand the zero click aspect of this. I mean, what's going on in iOS that this sort of thing is possible?

Justin Albrecht

So, you know, zero click attacks aren't anything new. Dark Sword is technically a one click attack because it does require some kind of interaction with a domain. Right. Because typically this is all delivered in JavaScript, which is really unusual for this type of malware. And they basically put the JavaScript on these websites, Right. But you could also send it in a phishing link or something similar. So it's technically a one click. However, if it's on a website that you're already going to visit, then do you consider that a one click or a zero click? I think in that case it's kind of a zero click because you're already going there, doing your normal day to day routine. Now what's happening on the device here is most of these exploit chains, they first target the browser, so you might have heard like, of, you know, Predator, Pegasus, the zero click attacks that occurred with those. A lot of those were delivered through like iMessage or WhatsApp, and they were using some kind of obscure bug that was in one of those platforms in order to get access to the device

Co-analyst/Researcher

in a zero click attack.

Justin Albrecht

In this case. This is similar to a lot of other attacks that we see where first they attack the browser. So basically they have to get past what's called WebKit, which is kind of like iOS's version of serving up browser material. You know, basically all browsers on iOS

Co-analyst/Researcher

have to use WebKit.

Justin Albrecht

Now WebKit's been very hardened by Apple in the past few years because it's been so targeted. So in this case, the Exploit first targets WebKit, but then it almost immediately shifts to something called WebGPU, which is a processor essentially that's processing all the data that's on the browser's looking at. And that hasn't been hardened as much.

Co-analyst/Researcher

So that's where they do the sandbox escape and that's basically how they bypass the restrictions that are around the application or in this case the exploit.

Host/Interviewer

Now you mentioned that they operate quickly and they don't stay on the device very long. This kind of grab and go approach seems significant to me and perhaps a little unusual.

Justin Albrecht

It's unusual. It's not what we usually see for

Co-analyst/Researcher

espionage, I'll say, or for top tier iOS malware.

Justin Albrecht

There is some iOS malware that doesn't

Co-analyst/Researcher

leave an implant in any kind of storage like it might have. It might run entirely in memory, like we've seen that before with different iOS malware. But typically it does stay on device. It might not survive a reboot, but it does stay on device. In this case, to see the smash grab approach is very unusual for, for iOS malware. In fact, I think it's the first time that I've seen it. There are now, I will say there were recorded three different campaigns using Dark Sword. The one that we identified was this one by the Russian threat actors, but there were two other ones. And in those two other attacks they did leave behind implants. So in those cases they were looking at doing kind of prolonged espionage against targets.

Host/Interviewer

Now in the case where they don't leave anything behind, is there any trace to be found if someone suspects that their device may have been compromised? Is there any way to determine that?

Justin Albrecht

Yeah, there are some traces that are left behind. They do do a good job of cleaning up a lot of the artifacts

Co-analyst/Researcher

that would typically be left behind.

Justin Albrecht

And the way that the malware is designed, it kind of piggybacks off of legitimate processes that are within iOS, which

Co-analyst/Researcher

makes it very difficult to track and to find.

Justin Albrecht

Now, as a user without any third

Co-analyst/Researcher

party tools, this would be completely invisible to you and there'd really be no good way to find it. Now there are really like mobile EDR

Justin Albrecht

tools that will detect some of this.

Co-analyst/Researcher

And then now Apple has released patches that will patch pretty much all susceptible devices to Dark Sword. It will patch those specific vulnerabilities that Dark Sword was taking advantage of. But those victims basically have to update their devices to the latest OS version or to the security update for the version they're running. Like iOS 18, for example. They'd have to update to iOS 1877.

Host/Interviewer

Well, and after your disclosure, Apple responded fairly quickly, right?

Justin Albrecht

Yeah, yeah, they did. And you know, it's a, it's an interesting move. I think it's a very solid move on their part. I also want to point out like how unusual these attacks were because they came back to back.

Co-analyst/Researcher

Right.

Justin Albrecht

Like Dark Sword and Karuna happened within

Co-analyst/Researcher

the span of a month. At least they're reporting on them.

Justin Albrecht

And after that we saw some kind

Co-analyst/Researcher

of unprecedented activity from Apple. They backported multiple security patches to cover Karuna and Dark Sword for older oss. And typically they'd want those users to update to the latest OS if they could. They warned the users who had susceptible versions of the os, like they sent alerts to their device that they could be compromised and that they should update. And they also put out specific guidance on web based attacks.

Justin Albrecht

And then when they put out these

Co-analyst/Researcher

notifications that they were back porting the updates, they also mentioned Dark Sword and typically Apple doesn't talk about malware at all. Right.

Justin Albrecht

It's kind of a, it's a bit of a dirty word there. So, so these were really unprecedented moves. And I think it speaks to kind

Co-analyst/Researcher

of the scale of the threat this time. You know that we had these two

Justin Albrecht

different exploit kits, very advanced, that ended

Co-analyst/Researcher

up in the wrong hands in one case. Well, in both cases ended up completely public really.

Justin Albrecht

Where.

Co-analyst/Researcher

And especially with darksert, it's so easy to reuse. It has all of the instructions within the code itself. I think it was a situation that they really had to do something about and they did.

Host/Interviewer

And you're satisfied that the solutions that they've put out there are up to the task

Co-analyst/Researcher

for the current threat?

Justin Albrecht

Yes, I think that's the, that's the real, I guess linchpin in this whole thing is, you know, we focus on the specific exploits, the specific vulnerabilities, the specific malware. But for me there's a very, very

Co-analyst/Researcher

much a larger story behind all of

Justin Albrecht

this, which is how did these exploits that are developed by top tier exploit

Co-analyst/Researcher

development shops in one case in the

Justin Albrecht

US for Karuna was most likely developed

Co-analyst/Researcher

by L3Harris for Dark Sword.

Justin Albrecht

It's unknown who developed them, but they do look like they're probably western developed exploits. So these exploits made a journey essentially across the world to a shady exploit broker who sold them on to criminals

Co-analyst/Researcher

and to spy groups who are opposed to the US where the exploits probably came from.

Justin Albrecht

And that, that really speaks to evidence

Co-analyst/Researcher

of a secondhand exploit market for, for mobile devices at a minimum and probably for more exploits as well. If you ever heard of Operation Zero,

Justin Albrecht

for example, the Russian exploit broker, you

Co-analyst/Researcher

know, that's likely how UNC6353 got the Karuna exploits based on a lot of

Justin Albrecht

public reporting that's gone into it.

Co-analyst/Researcher

And I wouldn't be surprised if that's also how they got the Dark Sword exploits. So this market's thriving. And what's the lesson behind that? The lesson is that there's proliferation of this tooling that's developed in the West. It's a very high end top tier exploits that cost millions of dollars to develop and are being sold probably, you know, for the second time, maybe even the third time to different brokers. So it's kind of an unregulated market and these things are getting up in the wrong hands. And that's for me, that's, that's the bigger story because just because they patch today, you, you can't patch a user. You can't patch, you know, a zero day before it's discovered and it's likely that there are more out there.

Host/Interviewer

We'll be right back.

Sponsor/Advertiser

Study and play come together on a Windows 11 PC. And for a limited time, college students get the best of both worlds. Get the unreal college deal. Everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc.

Dave Bittner

When you need to build up your team to handle the growing chaos at work, use indeed sponsored jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and More time actually interviewing candidates who. Check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero. This is a job for indeed sponsored jobs.

Host/Interviewer

So just so I'm clear here, like is the notion that as you say, these are developed for high level organizations, high level customers, presumably for targeted espionage. And so your average user probably wouldn't be targeted by this, wouldn't know that something like this exists. And because it's so targeted, it could fly under the radar for a long time until it reaches that secondary market where it gets broader visibility.

Justin Albrecht

Exactly. And also it's targeted in a different way at that point. Like if we consider, let's take a case like Pegasus, right?

Host/Interviewer

Yeah.

Justin Albrecht

Pegasus, developed by NSO Group, sold to governments, presumably law enforcement agencies and intelligence agencies who then either misuse it or use it for quote, unquote, appropriate national security purposes. Like that's what these tools are designed for really in the end, right? Like it's, they're designed to do law enforcement. They're designed to help track terrorists. They're abused in many cases to track civil society and to track innocent victims. But that depends in many cases on what the government's doing with it. Now those have regulations around them at the end of the day, like they, they have dual use customs rules that are around their, the sale of such tooling. You know, there's the European Commission, it tries to put the kibosh on, on them being able to sell certain parts of the toy within the EU there that's trying to regulate it. There's sanctions. Like there's a lot of stuff going on with that market for entities that exist outside of that rule of law. For example, like how, how concerned is Russia with international law?

Host/Interviewer

Right.

Justin Albrecht

You know, or, or, or maybe China in some cases. Right? Like there's a whole other market here that hasn' well explored these commercial surveillance vendors of exploit brokers and the, the people who are doing exploit development that, you know, a lot of them, maybe they don't care how their tooling is

Co-analyst/Researcher

used at the end of the day. Maybe they're just interested in making a couple extra million. It's understandable.

Justin Albrecht

Right? So these exploits are basically being sold into an unregulated, like a completely unregulated

Co-analyst/Researcher

territory where the, I guess the biggest incentive is money and that includes for

Justin Albrecht

the exploit broker themselves. Like if you look at Karuna and

Co-analyst/Researcher

you look at Dark Sword, both of

Justin Albrecht

them were edited to include financial theft to include the targeting of cryptocurrency.

Co-analyst/Researcher

And this isn't something that you'd see

Justin Albrecht

a government developing, really, unless it's North Korea. So in that case, we know that

Co-analyst/Researcher

something was added to this tooling. It was probably added to increase the market so that more people would be willing to buy. The tooling and use speaks to a complet. Completely different use case. And it makes the, I guess, the

Justin Albrecht

profile of the victim, it greatly expands

Co-analyst/Researcher

it beyond, you know, you're a civil society person protesting against a corrupt government, or you're a terrorist, or you're a criminal. You know, it really expands who the potential victims are.

Host/Interviewer

Yeah, well, you mentioned that this activity is linked to UNC6353. What can you tell us about them? What do we know?

Justin Albrecht

Not much. You know, we've got some ideas of their targeting, we've got some ideas of their level of technical expertise just based on what we've been able to observe. They're not tied to any known threat group that we know of. And as far as I know, Google also believes the same, and Iverfile also believes the same. Since we all worked on this research together, you know, we haven't been able

Co-analyst/Researcher

to tie it to an APT 29

Justin Albrecht

or a Turla, etc. But there are interesting things around this story. Like one, all of the observed attacks by this group were in Ukraine. They were targeting cryptocurrency as well as intelligence gathering. Now, we have seen in the past some targeting of cryptocurrency on mobile by a Russian apt.

Co-analyst/Researcher

In that case, it was the Sandworm APT

Justin Albrecht

that targeted.

Co-analyst/Researcher

They used a tool called Infamous Chisel which targeted Android and it was specifically targeting Ukrainians.

Justin Albrecht

Besides that, we haven't really seen anything. However, Russia has a long history now

Co-analyst/Researcher

of using proxy criminal elements to conduct campaigns.

Justin Albrecht

Kind of like a Privateer model, a

Co-analyst/Researcher

modern day Privateer model.

Justin Albrecht

And they've done this with multiple ransomware groups who have targeted entities in Ukraine. They've conducted financial theft, they've performed ransomware attacks, wiper attacks, et cetera. And one interesting thing is, like I mentioned before, these exploits probably came from Operation Zero. Operation Zero was recently sanctioned by the US Government. And in the sanctions they mentioned two of the associates of the CEO of Operation Zero. And those two associates are part of the Trickbot ransomware group.

Co-analyst/Researcher

So essentially you have a criminal, you know, a Russian criminal entity, cybercrime entity, that has direct connections to an exploit broker that has pretty much been proven

Justin Albrecht

to have resold some of these exploits

Co-analyst/Researcher

to UNC6353 at least possibly to this Chinese group, UNC6691 as well.

Justin Albrecht

Like there are a lot of connections in that market.

Co-analyst/Researcher

There's a lot of coincidences and I

Justin Albrecht

do think that it wouldn't be, you know, we have no guarantee of this, of who they are, but I don't think it would be outside of the norm that they could potentially be one of these cybercrime proxy groups.

Co-analyst/Researcher

Like they don't necessarily have to be a Russian apt.

Justin Albrecht

They could be because the tooling conducts

Co-analyst/Researcher

financial theft and it conducts espionage.

Justin Albrecht

But there were indicators also in the

Co-analyst/Researcher

code itself, in how easy it was to find, in the fact that none of it was obfuscated. Some of it seemed like boilerplate demo

Justin Albrecht

like server infrastructure that was probably just

Co-analyst/Researcher

set up for them.

Justin Albrecht

There are signs that perhaps they aren't

Co-analyst/Researcher

as technically capable as some of these top tier Russian apts, which makes me doubt that it's one of them. But we have no confirmation.

Host/Interviewer

No. That's interesting. So what are your recommendations then? I mean, how the defenders in our audience, what should they do with this information, with these revelations?

Justin Albrecht

I really think that it drives home the idea that, you know, a mobile endpoint is an endpoint like and it seems silly to say, but typically we don't provide the same kind of security and visibility into mobile endpoints.

Co-analyst/Researcher

Right.

Justin Albrecht

And these stories about like advanced iOS malware, the predators and Pegasuses of the world, there's always been this kind of trope that they, that you know, you're not going to be targeted by it. It's going to be some, it's going to be a reporter, it's going to be an activist. You know the, the categories that I mentioned earlier, an opposition politician, one we always knew that wasn't exactly true. Like we'd seen in, in some organizations, individuals get targeted by this malware. In the past, this is before Dark Sword and before Karuna, but now, for example, Dark Sword was leaked on GitHub, like anyone can take it and use it. So for an organization like beyond, of course updating your devices beyond using lockdown mode, there's other threats like we see that iOS devices have, are twice as likely to, to fall for a phishing

Co-analyst/Researcher

link than an Android user.

Justin Albrecht

For example, in our data, there was a report that just went out recently about SIO Spa.

Co-analyst/Researcher

It's a Italian CSV commercial surveillance vendor

Justin Albrecht

that used WhatsApp clones, basically Trojanized WhatsApp

Co-analyst/Researcher

versions that they delivered as an application to iOS devices. They tricked users into downloading them. You have social engineering that occurs, vishing, quishing, et cetera, that these people are still susceptible to. So the big question is, like, if

Justin Albrecht

you get infected by one of these,

Co-analyst/Researcher

as an organization, how do you know, like, there's no visibility, you're reliant on the protections that the OS provides you. Typically, an organization has at least an mdm, but an MDM is managing, and it's not security. So for me, the big takeaway is that these devices need visibility. Signals need to be fed into the soc. Security needs to be part of it,

Justin Albrecht

not just the mobility team. Because a lot of times mobility is

Co-analyst/Researcher

the only organization that's handling mobile devices or the only team that's handling mobile devices in an organization. And for me, that's wrong. For me, security needs to be involved. They need to be able to see these signals. So you need to deploy solutions that enable organizations to be able to see that data, to be able to see what kind of threats are being targeted

Host/Interviewer

at the device and how readily available are those kinds of solutions.

Justin Albrecht

Oh, they're available for sure. If you look up mobile edr, if you look up mobile threat defense is another category that it's often called. Yeah, you know, we have a solution lookout, of course, that's our. That's our bread and butter, really, beyond our threat intelligence.

Co-analyst/Researcher

But there are other. Our competitors also have solutions. Even some of the big players in the game of endpoint defense have some

Justin Albrecht

solutions that will at least provide some visibility.

Co-analyst/Researcher

In many cases only for Android or better on Android. But in some cases, like with ours and with some others, you have iOS and Android capabilities that will at least

Justin Albrecht

provide visibility and will provide protections against

Co-analyst/Researcher

even the minimal threats.

Host/Interviewer

Help me understand an element of this when, when Apple comes at a problem like this, when they deliver their patches, and forgive me if this is an unfair question, but are they generally shutting down this specific exploit, or is it likely that they're able to shut off more of a category of things? Do you see where I'm going?

Justin Albrecht

Vulnerabilities can have multiple exploits, right?

Co-analyst/Researcher

Like, you can have three different people writing an exploit for the same vulnerability, and they might come at it from different ways. So in a way, it does shut off categories, but let's call them very small categories. Like, they won't be able to shut down all threats to WebKit, like I mentioned earlier, they can harden it a lot. They can find new vulnerabilities and continue to patch it. But at the end of the day, you have a lot of exploit researchers who are there trying to find new ways to take advantage of it. So they don't really cut off an entire category, but maybe subcategories, maybe by fixing like being able to patch one of these vulnerabilities, they take care of a bundle of exploits, but not all of them that are targeting that specific portion of technology is probably the way I'd put it.

Host/Interviewer

I see. All right. Well, Justin, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?

Justin Albrecht

You know, just going back to what I've seen with that secondhand exploit market. Like, for me, that's the thing that

Co-analyst/Researcher

I would love that people take away from this is the fact that these things make it into the wild. And it should be part of a security posture. Like people should be be thinking about what targets their mobile devices and understand that these are no longer tools that are just in the hands of a few government entities that are interested in conducting espionage. Right. They can be used for a lot of other purposes now. And that environment exists, the pipeline exists, it will be reused. So just that takeaway.

Host/Interviewer

Our thanks to Justin Albrecht from LOOKOUT for joining us. The research is titled Attackers Wielding Dark Sword threaten iOS users. We'll have a link in the show Notes. And that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwiren2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.