Apple has taken urgent action to address two newly discovered zero-day vulnerabilities in its software. These vulnerabilities have been exploited by an advanced persistent threat (APT) actor in an ongoing iOS spying campaign known as “Operation Triangulation.” In response, Apple has released emergency patches to protect its users from this malware.
Additionally, cybersecurity company Kaspersky has released a report that provides further details on the TriangleDB spyware implant used in the Operation Triangulation campaign. Kaspersky’s analysis revealed some unusual characteristics of the spyware, including disabled features that could potentially be activated at a later time.
The malware currently supports 24 functional commands, which serve various purposes. These commands allow the attacker to manipulate files, terminate processes, gather credentials, and monitor the victim’s location. Of particular concern are the abilities to read any file on the infected device, extract passwords from the victim’s keychain, and track the device’s geolocation.
The vulnerabilities that Apple addressed with these emergency patches are part of a set of three zero-days that Kaspersky researchers have uncovered during their investigation of Operation Triangulation. The investigation began around seven months ago when Kaspersky noticed suspicious activity from several dozen iOS devices on its corporate Wi-Fi network.
In an earlier report, Kaspersky described how attackers likely exploited multiple vulnerabilities in Apple software to deliver the TriangleDB spyware implant to targeted iOS devices. The researchers identified the first flaw, CVE-2022-46690, as an out-of-bounds issue that allowed an application to execute arbitrary code at the kernel level. The implant itself runs with root privileges and can execute arbitrary code, enabling the collection of system and user information.
By reading files on the infected device, the attackers can access sensitive information, including photos, videos, emails, and messenger app conversations. The keychain dumping feature of TriangleDB allows the attackers to harvest the victim’s passwords and gain unauthorized access to various accounts.
One interesting aspect of the TriangleDB spyware is that it requests multiple privileges, such as access to the microphone, camera, and address book, without currently using this information. Kaspersky suggests that these features may be deployed in future auxiliary modules of the implant.
Furthermore, Kaspersky discovered that the attackers behind TriangleDB are also targeting macOS users. This was revealed through the analysis of the “populateWithFieldsMacOSOnly” method found in the spyware implant. This finding suggests that similar implants could target not only iOS devices but also Mac computers.
Kaspersky believes it was the victim of a targeted attack, but likely not the only one. Russia’s Federal Security Service (FSB) has accused the US National Security Agency (NSA) of collaborating with Apple to install the spyware on thousands of iOS devices belonging to Russian diplomats and individuals affiliated with Russia. The Russian foreign ministry alleges that the campaign is part of a long-standing effort by the US government to collect large-scale data without permission or knowledge.
Both the NSA and Apple have denied these allegations.
To help organizations detect the TriangleDB implant, Kaspersky has released a utility called “triangle_check.” This tool allows users to search for signs of the spyware on their iOS devices.
Apple’s swift response in releasing emergency patches demonstrates its commitment to protecting its users from malware attacks. As Operation Triangulation continues to evolve, it is crucial for iOS users to remain vigilant and ensure their devices are updated with the latest security patches to mitigate the risk of being targeted by this campaign.