Unpacking the Spyware Attack Chain: How a SharePoint Flaw Led to Full iPhone and Mac Control
In the world of cybersecurity, the most sophisticated attacks are rarely the result of a single vulnerability. Instead, threat actors often chain together multiple, seemingly unrelated flaws to create a powerful path to compromise a target. A recent, real-world example demonstrates this perfectly, linking a weakness in Microsoft SharePoint to a critical bug in Apple’s operating systems to ultimately install powerful spyware.
This attack highlights a crucial reality for businesses and individuals alike: a security vulnerability in one part of your technology stack can become an open door to compromising a completely different system.
The Two-Part Threat: A Perfect Storm of Vulnerabilities
The attack relied on two distinct exploits working in tandem. Understanding both is key to appreciating the complexity and severity of the threat.
The SharePoint Gateway (CVE-2023-29357): The first stage of the attack targeted a privilege escalation vulnerability in Microsoft SharePoint Server. This flaw was particularly dangerous because it allowed an attacker to gain administrator-level privileges on the server without needing to authenticate. In simple terms, they could become an admin without a password, giving them significant control over the SharePoint environment.
The Apple Takedown (CVE-2023-28205): The second vulnerability was a type confusion bug within Apple’s WebKit, the browser engine that powers Safari and other applications on iOS, iPadOS, and macOS. This flaw could be triggered when a user visited a malicious webpage, allowing an attacker to achieve remote code execution (RCE). RCE is one of the most severe types of vulnerabilities, as it allows a hacker to run their own code on your device, effectively taking it over.
Anatomy of a Chained Exploit
With these two vulnerabilities, attackers devised a devastating attack chain to gain complete control over a target’s Apple device.
- Step 1: The Initial Breach. The attacker first exploits the SharePoint flaw (CVE-2023-29357). By gaining admin privileges, they establish a strong foothold within the organization’s network.
- Step 2: Pivoting to the Target. From their new position of power on the server, the attacker can now target specific individuals within the organization. They can manipulate the SharePoint environment to direct a user toward a malicious link.
- Step 3: Executing the Final Payload. When the user clicks the link, they are taken to a malicious site that triggers the Apple WebKit vulnerability (CVE-2023-28205). This gives the attacker RCE capabilities on the user’s iPhone, iPad, or Mac.
- Step 4: Full System Compromise. With control of the device, the attacker’s final goal was to install a sophisticated piece of spyware known as “Subzero.” This backdoor gives them persistent access to the device, allowing for total surveillance, data exfiltration, and more.
This campaign is believed to be the work of a commercial spyware vendor—a company that develops and sells these powerful hacking tools to government agencies.
Your Actionable Security Playbook: How to Stay Protected
This complex attack serves as a critical reminder that proactive security is non-negotiable. Waiting for an attack to happen is not a strategy. Here are the essential steps you must take to defend against chained exploits.
- Update Everything, Immediately. This is the single most important defense. Both vulnerabilities have been patched by their respective vendors. Ensure all Apple devices are updated to at least iOS 16.4.1 and macOS Ventura 13.3.1. Likewise, the SharePoint vulnerability was fixed in Microsoft’s May 2023 Patch Tuesday updates. Timely patching breaks the attack chain.
- Embrace a “Defense-in-Depth” Strategy. Never rely on a single security tool. A layered approach—combining firewalls, endpoint detection, regular vulnerability scanning, and user training—creates multiple barriers for an attacker. If one layer fails, another is there to stop the threat.
- Monitor for Anomalous Activity. Keep a close watch on your network and server logs. An attacker exploiting a SharePoint server to gain admin rights will create unusual activity. Detecting this early can prevent the attack from progressing to its final stage.
- Understand That Ecosystems are Connected. The biggest lesson here is that a Windows Server vulnerability can directly lead to a compromised iPhone. Security teams must think holistically and recognize that a weakness anywhere in the organization is a threat to everywhere.
Ultimately, the interconnected nature of modern technology means that security can no longer be managed in silos. Proactive patch management and a comprehensive, layered security posture are not just best practices—they are the essential foundations for defending against the advanced, multi-stage cyberattacks of today.
Source: https://go.theregister.com/feed/www.theregister.com/2025/07/28/microsoft_spots_apple_bug/
