Security News > 2021 > July > Safari Zero-Day Used in Malicious LinkedIn Campaign
Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.
TAG researchers discovered the Safari WebKit flaw, tracked as CVE-​2021-1879, on March 19.
Researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG. "If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads," they wrote.
The campaign targeting iOS devices coincided with others from the same threat actor-which Microsoft has identified as Nobelium-targeting users on Windows devices to deliver Cobalt Strike, researchers wrote.
The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.
At the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors.