CISA warns of Apple’s three zero-days exploited in spyware attacks

CVE-2023-41991

The US Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks.

  • CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability
  • CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability
  • CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability

CVE-2023-41991

Security researchers from both Citizen Lab and Google’s Threat Analysis Group (TAG) unraveled a plot that feels straight out of a spy novel. Between May and September 2023, these zero days became the weapon of choice for attackers. Their target? Former Egyptian MP Ahmed Eltantawy, who recently voiced his intention to contest in the 2024 Egyptian presidential election.

Through deceiving SMS and WhatsApp messages, the attackers laid a digital trap for Eltantawy. His non-HTTPS website visits via Vodafone Egypt were intercepted and redirected to a malevolent site that aimed to infect his phone with the notorious Predator spyware by Cytrox.

Using the trio of zero-day vulnerabilities, the attackers weaved an intricate exploit chain:

1. CVE-2023-41993 provided the opening gambit, allowing remote code execution in Safari.
2. CVE-2023-41991 facilitated the bypass of signature validation.
3. And finally, CVE-2023-41992 allowed for kernel privilege escalation.

This automated sequence concluded with the deployment of a maleficent binary, deciding the fate of the spyware implant on Eltantawy’s device.

Apple, being cognizant of these threats, rolled out patches in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1. The tech giant addressed a certificate validation issue and fortified checks to seal these vulnerabilities.

Following the binding operational directive (BOD 22-01) from November 2022, Federal Civilian Executive Branch Agencies (FCEB) are mandated to patch their systems against vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog. The directive now requires FCEBs to ensure the security of their Apple devices by October 16, 2023.

While this directive is tailored for U.S. federal agencies, private enterprises should heed this warning too. After all, in the world of cybersecurity, complacency is the silent enabler of calamity.