{"id":19732,"date":"2020-03-27T20:10:54","date_gmt":"2020-03-27T14:40:54","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/lightspy-watering-hole-attack\/19732\/"},"modified":"2020-03-27T20:10:54","modified_gmt":"2020-03-27T14:40:54","slug":"lightspy-watering-hole-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/lightspy-watering-hole-attack\/19732\/","title":{"rendered":"LightSpy spyware targets iPhone users in Hong Kong"},"content":{"rendered":"

In January of this year, experts detected<\/a> a large-scale watering-hole attack<\/a> aimed at residents of Hong Kong, in which the multifunctional malware LightSpy for iOS was installed on victims\u2019 smartphones. This is yet another reminder to anyone who thinks that Apple devices, in particular iPhones, are immune to malware; they are protected, of course, but by no means totally.<\/p>\n

How LightSpy infects iOS devices<\/h2>\n

The malware landed on victims\u2019 smartphones when they visited one of several websites disguised as local news resources \u2014 the attackers simply copied the code of real news outlets and created their own clones.<\/p>\n

The sites loaded a whole bunch of exploits<\/a> onto victims\u2019 smartphones, resulting in the installation of LightSpy. Links to the fake sites were distributed through forums popular with Hong Kongers. All it took for the iPhone to get infected was one visit to a malicious page. There was no need even to tap anything.<\/p>\n

What is LightSpy?<\/h2>\n

LightSpy malware is a modular backdoor<\/a> that lets an attacker remotely execute commands on the infected device and generally run amok on the victim\u2019s phone.<\/p>\n

For example, the attacker can determine the smartphone\u2019s location, get its contact list and call history, see which Wi-Fi networks the victim has connected to, scan the local network, and upload data about all detected IP addresses to its command-and-control (C&C) server. In addition, the backdoor has modules for stealing information from Keychain (iOS\u2019s password and encryption key storage), as well as data from the WeChat, QQ, and Telegram messaging apps.<\/p>\n

What\u2019s interesting is that the attackers used no zero-day vulnerabilities, but so-called first-day vulnerabilities \u2014 that is, newly discovered holes for which patches have been released but included only in the latest system updates. Therefore, those iOS users who updated their devices in a timely manner could not get infected \u2014 but, of course, lots of people didn\u2019t install the updates. The attack threatened owners of smartphones running iOS 12.1 and 12.2 (the problem affects models from iPhone 6s to iPhone X).<\/p>\n

How to guard against LightSpy<\/h2>\n

It\u2019s still unclear whether LightSpy will spread beyond China, but such toolkits have a habit of reaching a wider audience, so don\u2019t assume that the problem will pass you by. Take the following precautions for greater security:<\/p>\n