While the WebKit (Safari) zero-day is a Use-After-Free vulnerability in QuickTimePluginReplacement, tracked as CVE-2021-1879, which was discovered on March 19, 2021, and recently exploited by a likely Russian government-backed actors.
The campaign targeting Apple iOS devices also coincided with campaigns from same actor targeting users on Windows devices with the aim to deliver Cobalt Strike, a remote access software designed to execute targeted attacks.
How the Apple WebKit Zero-day was exploited in the wild?
The Apple WebKit Zero-day was exploited in the wild with attackers using LinkedIn Messaging to target officials from Western European countries by specially crafted malicious links.
Once the target victim visits the link from any iOS device, it would redirect to the attacker-controlled domain which served the next stage payloads. And through several validation checks to ensure the iOS device was a real device, the final payload which exploits CVE-2021-1879 would be served to the device.
This exploit turns off Same-Origin-Policy protections to be able to collect authentication cookies from popular websites, such as Google, LinkedIn, Facebook, which it then sends to an attacker-controlled IP via WebSocket. Albeit, not all attacks need chaining multiple zero-day exploits to be successful, the campaign mirrors a wave of targeted attacks carried out by Russian hackers tracked as Nobelium, that was found to abuse the vulnerability to strike Western government agencies.
How to Mitigate against the Apple WebKit Zero-day?
The WebKit flaw could be exploited by adversaries to process maliciously crafted web content to carry out a universal cross-site scripting attack.
However, Apple had promptly patched the flaw on March 26, 2021 with the release of iOS 14.4.2 and iPadOS 14.4.2, therefore users of affected Apple devices should update their devices in order to mitigate the Apple WebKit Zero-day.