The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company.
Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the “most sophisticated attack chain” it has ever observed to date. The campaign is believed to have been active since 2019.
The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information.
From USER to ADMIN: Learn How Hackers Gain Full Control
Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.
Join Now
The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specifically, it involves the weaponization of the following vulnerabilities –
- CVE-2023-41990 – A flaw in the FontParser component that could lead to arbitrary code execution when processing a specially crafted font file, which is sent via iMessage. (Addressed in iOS 15.7.8 and iOS 16.3)
- CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. (Addressed in iOS 15.7.7, iOS 15.8, and iOS 16.5.1 )
- CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. (Addressed in iOS 15.7.7 and iOS 16.5.1)
- CVE-2023-38606 – An issue in the kernel that permits a malicious app to modify sensitive kernel state. (Addressed in iOS 16.6)
It’s worth noting that patches for CVE-2023-41990 were released by Apple in January 2023, although details about the exploitation were only made public by the company on September 8, 2023, the same day it shipped iOS 16.6.1 to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign.
This also brings the tally of the number of actively exploited zero-days resolved by Apple since the start of the year to 20.
Of the four vulnerabilities, CVE-2023-38606 deserves a special mention as it facilitates a bypass of hardware-based security protection for sensitive regions of the kernel memory by leveraging memory-mapped I/O (MMIO) registers, a feature that was never known or documented until now.
The exploit, in particular, targets Apple A12-A16 Bionic SoCs, singling out unknown MMIO blocks of registers that belong to the GPU coprocessor. It’s currently not known how the mysterious threat actors behind the operation learned about its existence. Also unclear is whether it was developed by Apple or it’s a third-party component like ARM CoreSight.
To put it in another way, CVE-2023-38606 is the crucial link in the exploit chain that’s closely intertwined with the success of the Operation Triangulation campaign, given the fact that it permits the threat actor to gain total control of the compromised system.
“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake,” security researcher Boris Larin said. “Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.”
“Hardware security very often relies on ‘security through obscurity,’ and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on “security through obscurity” can never be truly secure.”
The development comes as the Washington Post reported that Apple’s warnings in late October about Indian journalists and opposition politicians may have been targeted by state-sponsored spyware attacks prompted the government to question the veracity of the claims and describe them as a case of “algorithmic malfunction” within the tech giant’s systems.
In addition, senior administration officials demanded that the company soften the political impact of the warnings and pressed the company to provide alternative explanations as to why the warnings may have been sent. So far, India has neither confirmed nor denied using spyware such as those by NSO Group’s Pegasus.
Citing people with knowledge of the matter, the Washington Post noted that “Indian officials asked Apple to withdraw the warnings and say it had made a mistake,” and that “Apple India’s corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Apple’s warnings could be false alarms” to shift the spotlight away from the government.