Threat Intel - New iOS Exploit Kit Emerges from Russia
Basically, a new hacking tool for iPhones has been found, possibly made by Russian hackers.
A new iOS exploit kit named DarkSword has been discovered, linked to suspected Russian hackers. This could impact millions of iPhone users and raises serious security concerns. Understanding these threats is essential for mobile device protection.
The Threat
Researchers have uncovered a new iOS exploit kit named DarkSword, believed to be developed by suspected Russian hackers. This discovery follows the earlier identification of a similar kit, Coruna, and highlights a worrying trend in mobile cyberattacks. The collaboration between iVerify, Lookout, and Google reveals that DarkSword could potentially affect up to 270 million iPhone users worldwide. This is alarming, especially since 15% of all iOS devices are running versions that could be vulnerable.
The implications of DarkSword are severe. Unlike Coruna, which primarily targeted financial gain, DarkSword appears to serve dual purposes: financial exploitation and surveillance. It can exfiltrate sensitive information such as passwords, cryptocurrency wallets, and text messages. This shift towards mobile attacks is significant as mobile devices now account for a larger share of internet traffic.
Who's Behind It
While the exact identities of the attackers remain unclear, there are strong indications linking DarkSword to Russian cyber-espionage groups. Google has attributed the campaign to a group it tracks as UNC6353, which is known for its ties to Russian state-sponsored activities. The presence of a secondary exploit market raises concerns about the proliferation of such tools, making it easier for less experienced hackers to launch sophisticated attacks.
Interestingly, the code within DarkSword shows signs of being generated by a large language model (LLM), suggesting that even advanced hacking tools are becoming more accessible. This development could lower the barrier for entry into mobile exploits, allowing a wider range of attackers to utilize these capabilities.
Tactics & Techniques
DarkSword operates by first compromising Apple's WebKit, then leveraging WebGPU to execute sandbox escapes. This method allows attackers to bypass security measures and gain deeper access to devices. The research indicates that the attackers may not exhibit the high level of operational security typically associated with seasoned Russian threat actors, as evidenced by the lack of obfuscation in their code.
The motivations behind these attacks are complex. While financial gain is a clear objective, there is also a possibility that the attacks serve broader espionage goals, particularly against targets in regions like Ukraine, Saudi Arabia, Turkey, and Malaysia. This duality of purpose complicates the response strategies for potential victims.
Defensive Measures
In response to the discovery of DarkSword, Google has been in contact with Apple regarding the vulnerabilities exploited by the kit. Apple has since patched these vulnerabilities, including those in the recent iOS 26.3 update. However, the research emphasizes the need for users to remain vigilant, as the evolving nature of mobile threats poses ongoing risks.
To protect against such threats, users should ensure their devices are updated regularly and be cautious about the applications they install. Awareness of potential phishing attempts and suspicious activity is crucial in safeguarding personal information. As mobile cyberattacks become more prevalent, understanding these threats is vital for maintaining security.