Operation Triangulation uncovers Apple vulnerabilities – InCyber

In early summer 2023, Kaspersky discovered an attack on iOS devices. This campaign, called “Operation Triangulation,” uses a sophisticated method to distribute zero-click exploits via iMessage. The goal is to take complete control of the user’s device and data.

Experts from Kaspersky’s Global Research & Analysis Team (GReAT) concluded that the main goal of the malicious agents could be to secretly monitor target users, including Kaspersky employees. Due to the complexity of the attack and the closed nature of the iOS ecosystem, a special team was assembled and spent significant time and resources conducting a detailed technical analysis.

“We don’t know who attacked Kaspersky, at least not officially. Kaspersky hasn’t written anything about this and, to caricature a little, it could be both the American and Russian governments. And when I say ‘American’, I mean countries in the Anglo-Saxon world,” explains Fred Raynal, CEO of Quarkslab.

The surprising thing about this attack is its advanced side. “Zero-click attacks are costly attacks. An attack like this is really very organized. It was designed by people who have significant technological means, it is not accessible to everyone. It inevitably becomes a government’s responsibility,” adds Fred Raynal.

Triangulation: Five vulnerabilities exploited

Kaspersky researchers identified an initial entry point via a vulnerability in the font processing library. The second vulnerability, an extremely powerful and easily exploitable vulnerability in the memory mapping code, allowed threat actors to access the device’s physical memory. In addition, attackers exploited two additional vulnerabilities to bypass the hardware security features of Apple’s latest processor.

Kaspersky also discovered that in addition to being able to remotely infect Apple devices via iMessage without user intervention, the attackers also had a platform to carry out attacks via the Safari web browser. This led to the discovery and fix of a fifth vulnerability.

Once the malicious code (implant) is present on the phone, attackers can access all the content and monitor what the user does: their GPS location, their photos, their messages, their calls, etc.

iOS, a black box in which spyware can hide

In a series of four posts published on LinkedIn, Fred Raynal analyzed the modus operandi of the “triangulation” operation. He explains the reason why he wrote these publications: “I wanted to show that there are attacks on the iPhone, contrary to the discourse of Apple and its community that claims that if you own an iPhone you are not under attack. “But they are simply not the same attackers and not the same attack modes as on Android.”

Eugene Kaspersky, founder and CEO of the company of the same name, suggests the same direction in a blog post dated June 1, 2023: “We believe that the main reason for this incident is the closed nature of iOS.” This operating system is a “black box” , where spyware like Triangulation can hide for years. Detecting and analyzing such threats is complicated by Apple’s monopoly on search tools, making it an ideal haven for spyware. »

“In other words, as I have said more than once, users have the illusion of security associated with the complete opacity of the system. Cybersecurity experts don’t know what’s really going on in iOS. The lack of news about the attacks does not mean the impossibility of the attacks themselves – as we have just seen,” adds the Kaspersky founder.

Apple has officially released security updates that address four zero-day vulnerabilities discovered by Kaspersky researchers (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990). These vulnerabilities affect a variety of Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch.

“The hardware security features of devices with newer Apple chips make them significantly more resilient to cyberattacks. But they are not immune. Operation Triangulation reminds you to exercise caution when handling iMessage attachments from unknown sources. The strategies used in Operation Triangulation provide us with valuable insights and remind us that a balance between data protection and system accessibility can help improve security,” concludes Boris Larin, lead security researcher at Kaspersky’s GReAT.

To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Regularly update your operating system, applications, and antivirus software to patch known vulnerabilities.
  • Be wary of emails, messages or calls asking for sensitive information. Verify the sender’s identity before revealing personal information or clicking on suspicious links.
  • Give your SOC access to the latest threat intelligence.
  • Upskill your cybersecurity team with training so they can deal with the latest targeted threats.
  • Implement EDR solutions for endpoint detection, investigation, and rapid incident resolution.