Apple investigating report of a new iOS exploit being used in the wild

Cyber-security firm ZecOps said today it detected attacks against high-profile targets using a new iOS email exploit.
Written by Catalin Cimpanu, Contributor
iPhone iOS

Cyber-security firm ZecOps said today it discovered what appears to be exploitation attempts using a new iOS vulnerability.

Apple is currently investigating the matter, and the company is preparing a security update to be made available soon.

New email-based iOS exploit discovered

In a report published today, ZecOps said it found evidence that hackers have been using an iOS bug since at least January 2018. Researchers say the new iOS exploit appears to have been leveraged as part of malformed emails sent to high-profile iOS users.

ZecOps researchers say the attack is a zero-click exploit that doesn't require users to interact with the email, with the exploit triggering once the user receives the email or the user opens the Apple Mail app. The exploit doesn't trigger in Gmail or other email clients, researchers said.

"The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13)," the ZecOps team said. "Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails."

The security firm said the exploit doesn't grant control over the full device, and that an attacker would also need an additional iOS kernel vulnerability.

"We suspect that these attackers had another vulnerability. It is currently under investigation," ZecOps said.

The company said that until today it had detected exploitation attempts against targets such as:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan 
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

"We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used 'as-is' or with minor modifications," ZecOps said.

ZecOps did not want to name the "nation-state" group who they believe was exploiting this bug.

Apple is investigating report. A patch also coming.

ZecOps said it notified Apple on February 19. Initially, ZecOps reported what appeared to be a regular security bug, and worked with Apple to patch the issue.

Apple published a patch for this bug on April 15, with the release of iOS 13.4.5 beta.

Things, however, changed on Monday, when ZecOps said it discovered evidence in customer logs of attempts to exploit this issue. The company published its report today in order to notify iOS users of the attacks and the need to install the iOS 13.4.5 release once it becomes generally available.

ZecOps said that while it detected possible exploitation of the bug as far as January 2018, the bug could have been exploited even earlier. The company said it replicated the issue as far back as iOS 6, released in 2012.

Image: ZecOps

Additional technical details about the vulnerability and its inner workings are available for Apple users and security experts in ZecOps' technical write-up.

Until a patch is available, ZecOps recommended that users disable the Apple Mail client and use Gmail, Outlook, or another email app instead.

HEX 4-in-1 case for the Apple iPhone 11 Pro: in pictures

Editorial standards