Friday, January 24, 2025
HomeAppleApple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS...

Apple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS Zero-days

Published on

SIEM as a Service

Follow Us on Google News

Apple has refused to pay Kaspersky Lab a reward for discovering critical vulnerabilities in iOS that allowed attackers to install spyware on any iPhone.

According to RTVI, the vulnerabilities were reported to Apple in 2023, and under the Apple Security Bounty program, such discoveries can earn up to $1 million.

However, Apple declined to transfer the reward to Kaspersky Lab or a charity.

Kaspersky Lab’s Discovery and Apple’s Response

Dmitry Galov, head of the Russian research center at Kaspersky Lab, expressed his confusion and disappointment over Apple’s decision.

“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a proper job.

Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.

We don’t need this remuneration, but large companies often donate such payments to charity.

Apple refused to pay us, even to a charity, citing internal policies, without explanation,” Galov told RTVI.

In early June 2023, the FSB announced the discovery of an intelligence campaign by American intelligence services using Apple mobile devices.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The agency reported several thousand iPhones, including those of embassy and diplomatic mission employees, were infected in Russia and abroad.

On the same day, Kaspersky Lab published a detailed report on the “most sophisticated cyberattack” on iOS, dubbed “Operation Triangulation.

“The attack involved sending an iMessage with a special attachment containing an exploit.

The exploit triggered the execution of malicious code without any user interaction, allowing attackers to introduce spyware into the iPhone silently.

Kaspersky Lab found spyware modules on the iPhones of its employees, including top management and middle managers.

“The purpose of that attack was espionage—a collection of any information from devices: Geolocation, cameras, microphones, files, contacts.

In general, all the data that can be represented on the device.

This was not a financially motivated cyber attack—attackers do not use many resources to steal users’ banking data, for example.

We are confident that this was high-level targeted cyber espionage activity,” Galov explained.

Apple’s Acknowledgment and Patch Release

A few weeks after the cyber attack information was made public, Apple acknowledged the problem and released updates to fix the vulnerabilities in iOS.

The vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, posed a threat to all versions of iOS released before iOS 15.7.

In the description of the released patches, Apple named the four Kaspersky Lab employees who discovered the vulnerabilities.

Kaspersky Lab’s Shift to Android

Following the detection of the cyberattack, Kaspersky Lab transitioned all employees to mobile devices with Android OS.

“After discovering a spyware module in the iPhone of company employees last year, we [Kaspersky Lab] left iOS.

All company employees are now being issued corporate mobile devices on Android as planned, step by step.

We left iOS not because it is less secure but because we, as a security vendor, want to have more control over device security,” Galov stated.

Despite Kaspersky Lab’s significant contribution to identifying and reporting critical iOS vulnerabilities, Apple’s refusal to pay the bounty or donate it to charity has raised questions about its internal policies and decision-making processes.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...