Tuesday, December 10, 2024
HomeAppleApple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS...

Apple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS Zero-days

Published on

SIEM as a Service

Apple has refused to pay Kaspersky Lab a reward for discovering critical vulnerabilities in iOS that allowed attackers to install spyware on any iPhone.

According to RTVI, the vulnerabilities were reported to Apple in 2023, and under the Apple Security Bounty program, such discoveries can earn up to $1 million.

However, Apple declined to transfer the reward to Kaspersky Lab or a charity.

- Advertisement - SIEM as a Service

Kaspersky Lab’s Discovery and Apple’s Response

Dmitry Galov, head of the Russian research center at Kaspersky Lab, expressed his confusion and disappointment over Apple’s decision.

“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a proper job.

Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.

We don’t need this remuneration, but large companies often donate such payments to charity.

Apple refused to pay us, even to a charity, citing internal policies, without explanation,” Galov told RTVI.

In early June 2023, the FSB announced the discovery of an intelligence campaign by American intelligence services using Apple mobile devices.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The agency reported several thousand iPhones, including those of embassy and diplomatic mission employees, were infected in Russia and abroad.

On the same day, Kaspersky Lab published a detailed report on the “most sophisticated cyberattack” on iOS, dubbed “Operation Triangulation.

“The attack involved sending an iMessage with a special attachment containing an exploit.

The exploit triggered the execution of malicious code without any user interaction, allowing attackers to introduce spyware into the iPhone silently.

Kaspersky Lab found spyware modules on the iPhones of its employees, including top management and middle managers.

“The purpose of that attack was espionage—a collection of any information from devices: Geolocation, cameras, microphones, files, contacts.

In general, all the data that can be represented on the device.

This was not a financially motivated cyber attack—attackers do not use many resources to steal users’ banking data, for example.

We are confident that this was high-level targeted cyber espionage activity,” Galov explained.

Apple’s Acknowledgment and Patch Release

A few weeks after the cyber attack information was made public, Apple acknowledged the problem and released updates to fix the vulnerabilities in iOS.

The vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, posed a threat to all versions of iOS released before iOS 15.7.

In the description of the released patches, Apple named the four Kaspersky Lab employees who discovered the vulnerabilities.

Kaspersky Lab’s Shift to Android

Following the detection of the cyberattack, Kaspersky Lab transitioned all employees to mobile devices with Android OS.

“After discovering a spyware module in the iPhone of company employees last year, we [Kaspersky Lab] left iOS.

All company employees are now being issued corporate mobile devices on Android as planned, step by step.

We left iOS not because it is less secure but because we, as a security vendor, want to have more control over device security,” Galov stated.

Despite Kaspersky Lab’s significant contribution to identifying and reporting critical iOS vulnerabilities, Apple’s refusal to pay the bounty or donate it to charity has raised questions about its internal policies and decision-making processes.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...