U.S. intelligence said that the Chaos iPhone remote takeover exploit was used against the minority ethnic group before Apple could patch the problem.
In 2019, a Chinese security researcher working with the internet security and antivirus company Qihoo 360 unveiled an intricately woven exploit: One that would allegedly let a remote attacker easily jailbreak an iPhone X iOS 12.1.
The researcher, Qixun Zhao, dubbed the exploit Chaos, for good reason. As this proof-of-concept video allegedly shows, a successful exploit would allow a remote attacker to jailbreak an iPhoneX, with the targeted user none the wiser, allowing the intruder to gain access to a victims data, processing power and more. It worked as a drive-by malware download, only requiring that the iPhone user visit a web page containing Qixuns malicious code.
It would have made a superb spying tool, seeing how it would let an attacker easily take control of even the newest, most up-to-date iPhones, enabling a snooper to read a victims messages and passwords and to track their l*cation in near-real time.
According to a report published by MIT Technology Review on Thursday, thats exactly what happened: Virtually overnight, Chinese intelligence allegedly used the exploit as a weapon before Apple could fix the problem.
The publication said that, according to its sources, the U.S. has amassed details of how the Chaos exploit was used to hack Chinas Uyghur Muslims a common target of espionage campaigns. The claim is bolstered by earlier reporting: In August 2019, sources told TechCrunch that malicious websites used to hack into iPhones over two years were targeting the Uyghurs.
Google security researchers had found and disclosed the malicious websites a week before TechCrunchs report, but they hadnt initially known who the malicious sites were targeting. However, they knew that the code looked familiar: In an in-depth examination, Google noted how similar the malicious-sites exploit was to Chaos.
Now, MIT Technology Review has learned that the U.S. had come to the same conclusion, and that it had quietly informed Apple. Apple, which had been tracking the attack, had already come to the same conclusion on its own: That the Chaos exploit and the attacks on Uyghurs were one and the same, as the outlet puts it.
Prioritizing a difficult fix, Apple issued an update to patch the flaw in January 2019.
The patch arrived two months after Chaos had been unveiled at the inaugural Tianfu Cup: A Chinese hacking contest that came into being a few months after the country banned its cybersecurity research teams from competing in the Pwn2Own hacking competition or, for that matter, in any global hacking or capture-the-flag competitions.
Keeping Security Know-How at Home?
The ban on researchers attending foreign competitions apparently grew out of a distaste for giving away vulnerabilities via disclosure in public to conference audiences or to hacking programs in real-time. Both the ban and the subsequent launch of the Tianfu Cup had followed close on the heels of an announcement from Qixuns boss Zhou Hongyi, the billionaire founder and CEO of Qihoo 360 criticizing the export of vulnerabilities that, once made public, can no longer be used. Both the researchers and their know-how should stay in China, he said, in order to maximize the strategic value of zero days.
In an interview with the Chinese news site Sina, the influential CEO called the achievement of winning cash prizes at foreign competitions imaginary.
Qixun Zhao has emphatically denied involvement, telling MIT Technology Review that he couldnt remember who came into possession of the exploit code following his win for which he was awarded $200,000 at Tianfu Cup. Although hes suggested that the exploit used against Uyghurs was probably used after the patch release, both Google and Apple have d*cumented how it was used before the January 2019 fix. His exploit shares code from other exploit writers, he said, but Apple and U.S. intelligence sources told MIT Technology Review that the exploits arent similar; in fact, theyre the same. Qixun may well not be personally involved, given that Chinese law requires citizens and organizations to cooperate with intelligence agencies when asked.
Threatpost reached out to Qixun, Qihoo and Apple for comments and will update the article accordingly.
Scott Henderson, principal analyst at FireEye Mandiant Threat Intelligence, told Threatpost in an email on Friday that the reality of the situation is that if China is really doing what reports allege, its hardly surprising, and its not just the Uyghurs that are under its microscope. It is important to understand that it is a strategic imperative for China to maintain the national integrity and sovereignty of the countrys borders, he said. In addition to Tibetan and Uyghurs, Beijing also monitors Hong Kong, Taiwan, the Catholic Church, and, in the past, members of the Falungong. It is a persistent problem for human rights organizations, as well as government and private entities that are involved in, or even [that] comment on, Chinas human rights issues.
At any rate, Henderson said, this isnt the first time that there have been tangential connections drawn between a Chinese hacking competition and state-sponsored activity. For example, he pointed to Mandiant Threat Intelligence having observed infrastructure related to a Chinese hacking cup event that showed potential connections to a team of threat actors it calls TEMP.Avengers and which is a k a . Hurricane Panda and Black Vine.
Source: click to me