Friday, June 21, 2024

Apple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS Zero-days

Apple has refused to pay Kaspersky Lab a reward for discovering critical vulnerabilities in iOS that allowed attackers to install spyware on any iPhone.

According to RTVI, the vulnerabilities were reported to Apple in 2023, and under the Apple Security Bounty program, such discoveries can earn up to $1 million.

However, Apple declined to transfer the reward to Kaspersky Lab or a charity.

Kaspersky Lab’s Discovery and Apple’s Response

Dmitry Galov, head of the Russian research center at Kaspersky Lab, expressed his confusion and disappointment over Apple’s decision.

“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a proper job.

Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.

We don’t need this remuneration, but large companies often donate such payments to charity.

Apple refused to pay us, even to a charity, citing internal policies, without explanation,” Galov told RTVI.

In early June 2023, the FSB announced the discovery of an intelligence campaign by American intelligence services using Apple mobile devices.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The agency reported several thousand iPhones, including those of embassy and diplomatic mission employees, were infected in Russia and abroad.

On the same day, Kaspersky Lab published a detailed report on the “most sophisticated cyberattack” on iOS, dubbed “Operation Triangulation.

“The attack involved sending an iMessage with a special attachment containing an exploit.

The exploit triggered the execution of malicious code without any user interaction, allowing attackers to introduce spyware into the iPhone silently.

Kaspersky Lab found spyware modules on the iPhones of its employees, including top management and middle managers.

“The purpose of that attack was espionage—a collection of any information from devices: Geolocation, cameras, microphones, files, contacts.

In general, all the data that can be represented on the device.

This was not a financially motivated cyber attack—attackers do not use many resources to steal users’ banking data, for example.

We are confident that this was high-level targeted cyber espionage activity,” Galov explained.

Apple’s Acknowledgment and Patch Release

A few weeks after the cyber attack information was made public, Apple acknowledged the problem and released updates to fix the vulnerabilities in iOS.

The vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, posed a threat to all versions of iOS released before iOS 15.7.

In the description of the released patches, Apple named the four Kaspersky Lab employees who discovered the vulnerabilities.

Kaspersky Lab’s Shift to Android

Following the detection of the cyberattack, Kaspersky Lab transitioned all employees to mobile devices with Android OS.

“After discovering a spyware module in the iPhone of company employees last year, we [Kaspersky Lab] left iOS.

All company employees are now being issued corporate mobile devices on Android as planned, step by step.

We left iOS not because it is less secure but because we, as a security vendor, want to have more control over device security,” Galov stated.

Despite Kaspersky Lab’s significant contribution to identifying and reporting critical iOS vulnerabilities, Apple’s refusal to pay the bounty or donate it to charity has raised questions about its internal policies and decision-making processes.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles