Apple has recently released patches for two zero-day vulnerabilities that were being actively exploited in the wild. These vulnerabilities allowed attackers to install zero-click spyware on iOS devices. The security update, which was released on Wednesday, addressed three vulnerabilities, namely CVE-2023-32439, CVE-2023-32434, and CVE-2023-32435. Researchers from Kaspersky Lab, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin, discovered the latter two vulnerabilities while investigating suspicious activity originating from Kaspersky employee iOS devices.
The exploit, known as Operation Triangulation, began in 2019 and is still ongoing. During these attacks, unknown threat actors utilize Triangulation spyware through iMessage zero-click exploits using the two iOS vulnerabilities. If successful, the initial message and the exploit in the attachment are deleted, making it harder to detect.
Unfortunately, this is not the first time that Apple devices have been targeted with zero-day, zero-click exploits. Spyware and offensive security vendors have been focusing on iPhone users for several years. In fact, in 2021, the Citizen Lab discovered the NSO Group’s Pegasus spyware on the phone of a Saudi activist. This discovery led Apple to initiate a lawsuit against the Israeli-based technology company two months later.
The Operation Triangulation campaign discovered by Kaspersky exploits two vulnerabilities in conjunction. The first vulnerability, tracked as CVE-2023-32439, is an integer overflow flaw that allows attackers to execute arbitrary code with kernel privileges. The second vulnerability, CVE-2023-32435, could also lead to arbitrary code execution, but it affects Apple’s Webkit browser engine.
Apple acknowledged that these vulnerabilities may have been actively exploited in versions of iOS released prior to iOS 15.7. The company took immediate action to release a security update addressing these issues.
Kucherin, Bezvershenko, and Kuznetsov, in a blog post, provided more details about the sophisticated attack. They mentioned that it took them six months to retrieve as many parts of the exploitation chain as possible after discovering that Kaspersky employee devices were compromised. The researchers found an implant called “TriangleDB” that is deployed in memory after the attackers gain root privileges by exploiting a kernel vulnerability, likely CVE-2023-32434.
One interesting aspect of the attack is the developers’ unconventional code terminology. The malware developers referred to string decryption as “unmunging,” which is not a common term in the cybersecurity industry. According to Kucherin, this unusual terminology may be an attempt by the developers to disguise their code and make it harder for analysts to understand.
In addition to the iOS exploits, researchers also found indications of a Mac version of the spyware. The existence of a method named “populateWithFieldsMacOSOnly” in the implant’s configuration class suggests that macOS devices can also be targeted. This finding raises concerns about the broader attack surface and the potential risks posed to other Apple platforms.
Paul Ducklin, a principal research scientist at Sophos, supported this finding and urged caution. He stated that if attackers have discovered how to exploit the vulnerability on iOS, they might already know how to extend their attack to other Apple platforms. Ducklin highlighted the seriousness of the attack, as it required no user interaction and could be triggered remotely over the internet. He also noted that bypassing Apple’s security measures at the kernel level poses significant risks.
Kaspersky’s research on Operation Triangulation is still ongoing, and the vendor plans to release more information about the campaign in the future. At this time, researchers have not been able to attribute the attack to any specific threat actor.
In conclusion, Apple’s release of patches for the two zero-day vulnerabilities exploited in the wild is a crucial step in protecting iOS devices from zero-click spyware. The Operation Triangulation campaign highlights the ongoing threat posed by attackers targeting Apple users. It also emphasizes the need for continuous security updates and a proactive approach to stay ahead of evolving cyber threats. Users are encouraged to install the latest security updates provided by Apple to ensure the safety of their devices and personal data.