Monday, October 7, 2024
HomeAppleApple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS...

Apple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS Zero-days

Published on

Apple has refused to pay Kaspersky Lab a reward for discovering critical vulnerabilities in iOS that allowed attackers to install spyware on any iPhone.

According to RTVI, the vulnerabilities were reported to Apple in 2023, and under the Apple Security Bounty program, such discoveries can earn up to $1 million.

However, Apple declined to transfer the reward to Kaspersky Lab or a charity.

- Advertisement - EHA

Kaspersky Lab’s Discovery and Apple’s Response

Dmitry Galov, head of the Russian research center at Kaspersky Lab, expressed his confusion and disappointment over Apple’s decision.

“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a proper job.

Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.

We don’t need this remuneration, but large companies often donate such payments to charity.

Apple refused to pay us, even to a charity, citing internal policies, without explanation,” Galov told RTVI.

In early June 2023, the FSB announced the discovery of an intelligence campaign by American intelligence services using Apple mobile devices.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The agency reported several thousand iPhones, including those of embassy and diplomatic mission employees, were infected in Russia and abroad.

On the same day, Kaspersky Lab published a detailed report on the “most sophisticated cyberattack” on iOS, dubbed “Operation Triangulation.

“The attack involved sending an iMessage with a special attachment containing an exploit.

The exploit triggered the execution of malicious code without any user interaction, allowing attackers to introduce spyware into the iPhone silently.

Kaspersky Lab found spyware modules on the iPhones of its employees, including top management and middle managers.

“The purpose of that attack was espionage—a collection of any information from devices: Geolocation, cameras, microphones, files, contacts.

In general, all the data that can be represented on the device.

This was not a financially motivated cyber attack—attackers do not use many resources to steal users’ banking data, for example.

We are confident that this was high-level targeted cyber espionage activity,” Galov explained.

Apple’s Acknowledgment and Patch Release

A few weeks after the cyber attack information was made public, Apple acknowledged the problem and released updates to fix the vulnerabilities in iOS.

The vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, posed a threat to all versions of iOS released before iOS 15.7.

In the description of the released patches, Apple named the four Kaspersky Lab employees who discovered the vulnerabilities.

Kaspersky Lab’s Shift to Android

Following the detection of the cyberattack, Kaspersky Lab transitioned all employees to mobile devices with Android OS.

“After discovering a spyware module in the iPhone of company employees last year, we [Kaspersky Lab] left iOS.

All company employees are now being issued corporate mobile devices on Android as planned, step by step.

We left iOS not because it is less secure but because we, as a security vendor, want to have more control over device security,” Galov stated.

Despite Kaspersky Lab’s significant contribution to identifying and reporting critical iOS vulnerabilities, Apple’s refusal to pay the bounty or donate it to charity has raised questions about its internal policies and decision-making processes.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...