Don’t go drinking from that watering hole!

Several indiscriminate watering hole attacks were used earlier this year to implant a monitoring exploit onto iPhones that visited infected websites. The end goal is still unknown, but it appeared to have targeted a certain community of iPhone users that visited those websites. There is no mention if this was for financial gain or political purposes. What’s known is a series of zero-day exploits for unpatched vulnerabilities in specific versions of iOS were implanted starting from 10.0.1 to 12.1.x and were patched in version 12.1.4. The current version of iOS and iPadOS is 12.4.1. The Google Project Zero blog details are here.

Watering Hole Attack

There are a lot of things to unpack here: First, and from all known indications, these vulnerabilities have been patched in the latest versions of iOS and iPadOS. Second, there is no mention of the affected websites other than that they are visited by thousands of users (not millions or billions of users), so we can rule out the most popular social media sites.

So how do these types of hacks work? A watering hole attack usually starts with a targeted group of people or specific region. The threat actor tracks the web surfing tendencies of these specific groups of users to know what internet sites they frequently visit. Once those sites are known, the threat actor infects these websites with their exploit kit, and devices of unsuspecting visitors to that website are infected.

Exploit Campaigns

There were fourteen vulnerabilities across five exploit campaigns (or “chains,” as Project Zero calls them). Seven were found on the Safari web browser, five for the OS kernel, and two were elevation of privileges (sandbox escapes). These chains extended from September of 2016 to late January of this year. Zero-day exploits are very expensive if purchased by threat actors. Conservatively, the starting price is around $1 to $2 million dollars and go up in price depending on how quickly the target can be compromised – so it’s a pretty safe bet that these are nation-state sponsored attacks, though the motive is unknown.

Mitigate Mobile Threats

So, what should a mobile centric  enterprise do to derail and mitigate threat actors?

  1. Don’t assume that mobile devices are more secure or safer than traditional desktops. All enterprises must  be conscious of the risks posed by mobile devices and plan accordingly.
  2. Enterprises need to make risk-based decisions based on sound security strategy, like implementing a mobile-centric zero trust security framework for all their employees – and deploy the correct technologies accordingly.
  3. Assume that all software can and will be exploited, and the point of entry into your enterprise will probably be through a user doing something (that may appear as benign) on an endpoint.
  4. Use MobileIron to enforce the latest software and security patches on devices through tiered device compliance policies.
  5. Monitor and protect your endpoints via MobileIron Unified Endpoint Management (UEM) and MobileIron Threat Defense (MTD).
    • UEM would detect the device health, halt registration if the device were jailbroken or rooted, and block access to the enterprise network.
    • MTD would then proactively monitor and detect that the installed OS was vulnerable, an app sandbox escape (EoP), and system tampering at the device level.
    • Compliance actions can then be applied like blocking email, managed apps and their content, quarantine by removing all UEM-provisioned configurations, or selectively wipe the corporate content from the device.
    • Once threats are removed from the device, all UEM-provisioned configurations and policies can then be restored so the knowledge worker can continue their work.
  6. Protect access to data both on-prem with MobileIron Tunnel and Sentry and in the cloud with MobileIron Access. Out-of-compliant devices would be blocked by the removal of the Tunnel app on the device and revocation of the authentication token on Access for the user.
  7. Lastly, have a security awareness program. Educate your users on common sense precautions. And then, audit, audit, audit…!


James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.