Advanced DarkSword Exploit Threatens iOS Systems

ICS Labs’ CTI identified that an advanced exploitation toolkit for iOS, known as DarkSword, has been publicly leaked on GitHub, drastically lowering the barrier to entry for attacks against iPhones and iPads. Originally used in state-level espionage operations, DarkSword can now be leveraged by virtually any attacker with basic technical knowledge.

The tool enables the full compromise of iPhones and iPads through a single user interaction (visiting a malicious webpage), potentially impacting hundreds of millions of unpatched devices.

Threat Description

DarkSword is an exploit chain composed of six vulnerabilities. The chain executes entirely through the native Safari browser and culminates in privilege escalation to the kernel level, remote code execution in Safari, and unrestricted access to the file system by bypassing iOS sandbox protections.Once the compromise is successful, an attacker can extract messages, credentials, and system files, as well as monitor user activity.

The threat has already been observed in real-world campaigns, initially targeting Ukrainian citizens, and has been associated with the UNC6353 group, with possible links to Russian government interests. However, the leak of the toolkit makes the tool accessible to any malicious actor, significantly reducing the technical barrier for exploitation.

Affected versions range from iOS/iPadOS 18.4 through 18.7. According to Apple data, approximately 25% of iPhones and iPads are running version 18 or earlier, indicating that millions of devices may be at risk.

Attack Chain

1. User accesses a compromised website

2. The page loads a malicious iframe via Safari

3. Exploitation of JavaScriptCore via a DFG JIT bug

4. Escape from the WebContent sandbox

5. Use of WebGPU to inject code into the mediaplaybackd process

6. Privilege escalation to gain full kernel access

7. Full device control, enabling code execution and subsequent data exfiltration

Immediate Mitigations

The latest version of iOS is not vulnerable to the DarkSword exploit, but Apple has released an emergency patch for devices that are not compatible with upgrading to the most recent version. Therefore, the immediate recommendation is to apply all available updates and patches for each device.

In addition, Apple confirmed that devices with Lockdown Mode enabled (also referenced in the system as Modo Bloqueio) are not vulnerable to DarkSword-based attacks, even on outdated system versions. This protection is due to the disabling of certain complex web technologies when the feature is active.

Recommendations for Security Teams

The leak of a toolkit previously restricted to state-sponsored espionage operations, such as DarkSword, illustrates the current landscape of highly sophisticated threats and highlights the importance of keeping systems properly updated. The risk to highly targeted environments and users remains high, but the public disclosure also exposes less prominent profiles to exploitation.

As a result, it is increasingly necessary to replace devices that no longer receive official updates due to end-of-support when operating in environments that require a high level of cybersecurity.

Additionally, security teams should leverage mobile device management (MDM) solutions to block access to corporate resources from vulnerable systems and enforce updates to patched versions of iOS. It is also important that Lockdown Mode be enabled by default on devices used for critical activities or by users with high organizational importance.

The following events may indicate attempted or successful exploitation:

• Unusual spikes in data uploads to unrecognized destinations

• Connections to newly registered or low-reputation domains

• Communication with servers outside the user’s normal geographic pattern

• Unusual system resource consumption

• Large-scale file access or reading

Finally, incident response to a true positive involving DarkSword should include decommissioning the affected device, as kernel-level access may enable exploitation of zero-day vulnerabilities in the bootloader or firmware, indefinitely compromising device security even after a full system reinstallation.

Sources:

• DarkSword: Exploit no iOS antigo vaza e gera alerta | SempreUpdate

• DarkSword | Github

• DarkSword Exploit Chain That Can Hack Millions of iPhones Leaked Online | Cyber Security News

• About Lockdown Mode | Apple