New iOS exploit used in spying on China's Uyghur minority
Security company Volexity shared they discovered a new iOS exploit being used to spy on the Chinese Uyghur minority. The Insomnia exploit works against iOS versions 12.3, 12.3.1 and 12.3.2. The vulnerability behind the exploit was patched by Apple back in July 2019, upon the release of iOS 12.4.
Volexity mentioned the Insomnia exploit was used in the wild between January and March 2020, loaded on iOS devices of users visiting Uyghur-themed websites. When the victims accessed the website, the exploit was loaded on the device, granting root access to the threat actors. The attackers would then use access to steal messages, emails, contact lists, photos, and GPS location data.
Table of Contents
Insomnia exploit utilized by the Evil Eye group
Volexity mentioned the exploit was developed by a threat actor they're tracking, calling it Evil Eye. The Evil Eye group is believed to be state-sponsored and operating under the Chinese government to spy on the Uyghur Muslim minority. That same group was discovered by Google and Volexity in the summer of 2019, using 14 iOS exploits to target the minority since September 2016. The 14 exploits were used in a watering hole technique to make a website vulnerable, waiting for visitors to get infected.
A new Volexity report mentioned that once Google published the report on the 14 iOS exploits, Evil Eye shut down the infrastructure and stopped using the older exploits. Volexity also mentioned the group popped back up on the radar at the beginning of 2020 with the new Insomnia exploit, picking up where they left off. They are once again targeting the Uyghur minority with further watering hole attacks.
Evil Eye now targeting Signal and ProtonMail
Volexity researchers mentioned the Insomnia exploit also comes with more improvements, compared to the older 14 iOS exploits used previously. The previous exploits used in the attacks between 2016 and 2019 were used to steal GPS coordinates, address books, photos, emails from Google and messages from WeChat, iMessage, Hangouts, Telegram, and Whatsapp. The new Insomnia exploit also expanded the vulnerable targets with ProtonMail and images sent through the Signal app. The inclusion of ProtonMail and Signal may show the Uyghurs are aware of the potential monitoring of their communications; thus, they are moving on to use apps with more robust security, according to Volexity.
Insomnia may work with any WebKit browser
The company said that any iOS users who visited the Insomnia-riddled websites were now open to being hacked. The exploit could be triggered through any browser on phones, as they are all using WebKit. Volexity was able to confirm the successful exploits of phones running 12.3.1 through Google Chrome, Apple Safari, and Microsoft Edge. As was the case with the previous exploits, Insomnia still doesn't have any boot persistence. Rebooting the phone should remove the Insomnia malicious code from any device.
Volexity also believes this doesn't mean that Evil Eye can't get boot persistence to happen if they focus on making it happen. It may be possible that they have a method of persistence, but they only set it up manually if the target is verified. According to the company, the exploit was mostly found on the Uyghur Academy website.
Updating devices to iOS 12.4 can protect them from this threat if they visit Uyghur-themed websites.