The vulnerabilities addressed in Apple’s recent updates were likely exploited by state-sponsored advanced persistent threats (APTs), cybercriminal organizations, hacktivist groups, and freelance hackers. The methods of exploitation and specific actors involved are detailed below.
Exploitation of kernel vulnerabilities allowed attackers to create writable memory mappings or leak kernel state information, enabling privilege escalation and evasion of detection mechanisms. Groups such as China’s APT41 and Russia’s Fancy Bear are known for leveraging such vulnerabilities for surveillance, espionage, and targeted cyberattacks. Cybercriminal groups like REvil or LockBit could have exploited these flaws to deploy ransomware or other malicious payloads targeting enterprises or critical infrastructure.
AppleMobileFileIntegrity vulnerabilities allowed malicious apps to bypass security protections and access sensitive data, including personal files, credentials, and encrypted information. These flaws were likely exploited through phishing campaigns, sideloading, or distributing apps via unofficial app stores. Cybercriminal groups such as Evil Corp and state-backed groups like Lazarus Group from North Korea likely exploited these for financial theft and data exfiltration.
WebKit vulnerabilities, associated with memory corruption, made devices susceptible to attacks via malicious web content. Threat actors used these vulnerabilities in watering hole attacks and phishing schemes. APT actors, including China’s Mustang Panda, Iran’s APT33, and North Korea’s Kimsuky, likely used these bugs to target journalists, dissidents, and organizations involved in sensitive activities.
The libexpat vulnerability (CVE-2024-45490), which allowed remote code execution and application crashes, was likely exploited in targeted attacks using malicious XML payloads. Cybercriminal groups, including Conti, are suspected of exploiting this flaw for malware delivery, while espionage-focused groups such as Turla from Russia may have used it to infiltrate high-value networks.
The Password component bug allowed privileged attackers to modify network traffic, facilitating man-in-the-middle (MITM) attacks, credential theft, and session hijacking. APT actors like Sandworm from Russia likely targeted enterprises or government organizations over unsecured networks to intercept sensitive communications.
The IOMobileFrameBuffer vulnerability in DCP firmware, enabling arbitrary code execution, likely facilitated persistent access to high-value devices. Groups like APT10 (China) or Iran’s MuddyWater could have exploited this for advanced espionage or sabotage.
Actors exploiting these vulnerabilities include state-sponsored groups, cybercriminal networks, hacktivists, and freelance threat actors. APT groups such as China’s Hafnium, Russia’s Cozy Bear, and Iran’s Charming Kitten likely exploited these flaws to fulfill geopolitical objectives, including surveillance, sabotage, and data theft. Cybercriminal groups like Wizard Spider likely exploited these flaws for financially motivated operations, including ransomware deployment and fraud schemes. Hacktivist groups like Anonymous may have used these vulnerabilities to disrupt government or corporate systems, while freelance hackers likely focused on small-scale financial or personal targets.
We See What Others Cannot
