Apple has recently issued patches for remote code execution (RCE) vulnerabilities in iOS that have already been exploited by a digital spy campaign known as “Operation Triangulation.” This campaign utilized two zero-click iMessage exploits that could compromise devices without any user interactions. The vulnerabilities were initially discovered by Kaspersky Lab, just two weeks after the cybersecurity firm reported an advanced persistent threat (APT) actor launching zero-click iMessage exploits on Russian iOS devices.
According to Apple, the exploited vulnerabilities involve memory corruption within the kernel (CVE-2023-32434), allowing an application to execute arbitrary code with kernel privileges, and a WebKit issue (CVE-2023-32435), enabling code execution through web content. To address these issues, Apple has released patches in the latest updates of its operating systems, including iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, and iPadOS 15.7.7.
It’s worth noting that the attacks have only been observed on devices running iOS versions older than iOS 15.7. Therefore, Apple has provided patches for both the latest version (iOS 16.5.1) and the original vulnerable version (before iOS 15.7). In addition to iPhones and iPads, patches for macOS and watchOS have also been released.
These exploits are believed to be linked to an alleged US spy campaign. Kaspersky had previously reported an APT attack called Operation Triangulation, which leveraged zero-click iMessage exploits on its corporate iOS devices. Coincidentally, Russia’s Federal Security Service (FSB) accused US intelligence agencies of an ongoing spy campaign that targeted numerous iOS devices belonging to foreign diplomats and domestic users on the same day Kaspersky made their disclosure.
Apple has categorically denied any involvement in the alleged spy campaign. An Apple spokesperson stated, “We have never worked with any government to insert a backdoor into any Apple product and never will.”
Kaspersky’s investigation into Operation Triangulation revealed that the spyware used in the campaign targeted iPhones through iMessages with a malicious attachment containing an RCE exploit. The exploit would download additional elements to obtain root privileges on the targeted device. Once achieved, a spyware implant known as TriangleDB was deployed in the device’s memory, and the initial iMessage was deleted.
However, the implant does not have a persistence mechanism. This means that if the infected device is restarted, the entire exploitation process would need to be initiated again to re-infect the device. Additionally, the spyware automatically uninstalls itself after 30 days unless the attackers extend this period.
Kaspersky also discovered that the spyware monitored the infected device for folder changes with names matching specified regular expressions and exfiltrated the identified matches. This suggests that the threat actor may also be targeting macOS devices with a similar implant.
In conclusion, Apple has taken swift action in patching the RCE vulnerabilities in iOS that were exploited in Operation Triangulation. The company has released updates for its operating systems, including iOS, iPadOS, macOS, and watchOS. While the alleged US spy campaign remains under investigation, Apple has denied involvement and reiterated its commitment to user privacy and security.