Hello, welcome to the Monday, September 2nd, 2019 edition of the Sands and the Stormsendors

Stormcast. My name is Johannes Ulrich. And I'm recording from Brussels, Belgium.

Ahead of the weekend, Google came out with a set of blog posts with details regarding a years-long attack against iPhone users.

Now, these attacks were targeted in the sense that the exploit code was deposited on very specific websites.

Google doesn't mention these websites, but they categorize it as a waterhole attack,

which typically means that the

website being affected with the malicious code here is typically targeting or catering a particular

community, but any user visiting this website was then infected by the malicious code if their phone was vulnerable.

Now typically when we talk about mobile malware and I have talked a couple times last week about Android malware, for example, we talk about malware that a user specifically installs, not knowing that what they're installing turns out to

be malware.

These exploits are different.

These are these more dangerous drive-by exploits where a user visits a website that is infected

with the malicious code and then as a result, malicious code is installed on the user's phone.

So if done right, then the user doesn't really have any idea what's happening or that the phone

is infected at all. These exploits, of course, are a bit more complicated and typically actually

require a set of exploits or an exploit

chain to be successful.

In this particular case, the initial exploit, of course, was targeting the Safari web browser.

So the user visits the malicious website.

There is specific JavaScript typically being running on that website that

triggers the vulnerability. And then this vulnerability is used to execute arbitrary code. In this

case at first, using the limited access restrictions that Safari has available. So it's still running in the sandbox and doesn't run with full privileges, which is where

...