Apple iOS smartphone users in Hong Kong are being targeted in a new campaign exploiting online news readers to serve malware.
This week, Trend Micro researchers said the scheme, dubbed
Operation Poisoned News, uses links posted on a variety of forums popular with Hong Kong residents that claim to lead to news stories.
Newly-registered members of the discussion forums would post links generally related to sex, clickbait headlines, and COVID-19.
The links do actually lead to legitimate news outlets; however, a
watering hole attack (.PDF) uses a hidden iframe to deploy and execute malicious code.
"The URLs used led to a malicious website created by the attacker, which in turn contained three iframes that pointed to different sites," the researches say. "The only visible iframe leads to a legitimate news site, which makes people believe they are visiting the said site. One invisible iframe was used for website analytics; the other led to a site hosting the main script of the iOS exploits."
The campaign began in mid-February and appears to be ongoing. Based on the distribution model, the team believes the campaign is not selective in its targets; instead, the goal is to compromise as many devices as possible.
If a user clicks on a link and is using an Apple iPhone 6S up to the iPhone X running iOS 12.1 and 12.2 that has not received a silent patch for a Safari bug Apple has fixed in recent versions of the firm's OS, this begins an infection chain.
The Safari vulnerability -- which does not have a CVE -- can be exploited to trigger
CVE-2019-8605, a use-after-free memory flaw resolved in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1. If exploited, this bug can result in the compromise of the kernel to obtain root privileges.