A Russian government-backed threat group is using the DarkSword exploit kit to attack iOS devices. The group is known for spear-phishing campaigns that try to steal people's login information. The most recent activity involves sending fake "discussion invitation" emails that look like they come from the Atlantic Council to help spread GHOSTBLADE, a type of malware that steals data.
Leonid Volkov, a well-known Russian opposition politician and the political director of the Anti-Corruption Foundation, was one of the people who got the email. Apple has started sending Lock Screen notifications to older iPhones and iPads running iOS and iPadOS to let users know about web-based attacks and encourage them to install the update to stop the threat.
The news comes at the same time as Apple's warning and the leak of a new version of DarkSword on GitHub. This raises concerns that they could make nation-state exploits more widely available, which would change the mobile threat landscape in a big way. The TA446 is thought to be using the Dark sword exploit kit to steal credentials and gather information.
Proofpoint says that the targeting seen in the email campaign was "much wider than usual." This has led to the possibility that the threat actor is using the new features of DarkSword as part of an opportunistic campaign against a wider range of targets. The company sees it as a big enough threat that users need to pay attention right away, and it is telling them to update to iOS 8.1 or 9.
Apple's Lock Screen notification lets users know about the Lock Screen update and that it is not available on all versions of Apple's mobile operating systems at the time of this article's publication. It also lets users know that the threat is serious enough to need their attention. This is also the first time the company has warned users of iOS 8, 9, 10, or 10.
The Apple App Store has the update, which is expected to come out later this year.
