Apple released patches for two zero-day vulnerabilities that were exploited in the wild to install zero-click spyware on iOS devices.
In a security update Wednesday, Apple addressed three actively exploited vulnerabilities tracked as CVE-2023-32439, CVE-2023-32434 and CVE-2023-32435. The latter two were submitted by Kaspersky Lab researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin, who discovered the flaws while investigating suspicious activity originating from Kaspersky employee iOS devices.
Earlier this month, Kaspersky published research on a spyware campaign the vendor named “Operation Triangulation,” which began in 2019 and remains ongoing. During attacks, unknown threat actors deploy Triangulation spyware through iMessage zero-click exploits using two iOS vulnerabilities. If successful, the initial message and the exploit in the attachment is deleted.
This is not the first time Apple devices were attacked with a zero-day, zero-click exploit, as spyware and offensive security vendors have targeted iPhone users for years. In 2021, The Citizen Lab discovered NSO Group’s Pegasus spyware on the phone of a Saudi activist. Two months later, Apple initiated a lawsuit against the Israeli-based technology company.
The Operation Triangulation campaign against Kaspersky chains two vulnerabilities together.
The first, tracked as CVE-2023-32434, is an integer overflow flaw that could allow attackers to execute arbitrary code with kernel privileges. CVE-2023-32435 could also lead to arbitrary code execution, but it affects Apple’s Webkit browser engine.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7,” Apple wrote in the security update.
Additional information on the “sophisticated attack” was provided in a blog post Wednesday by Kucherin, Bezvershenko and fellow Kaspersky researcher Igor Kuznetsov. After discovering Kaspersky employee devices were comprised, it took researchers half a year to retrieve as many parts of the exploitation chain as possible.
Part of the chain includes an implant Kaspersky dubbed “TriangleDB,” which is deployed in memory after the attackers obtain root privileges to targeted iOS devices by exploiting a kernel vulnerability, likely CVE-2023-32434. The blog post emphasized that since TriangleDB is deployed in memory, all traces of the implant are lost when the device gets rebooted.
“Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers,” Kucherin, Bezvershenko and Kuznetsov wrote in the blog.
One section of Wednesday’s blog post was dedicated to “odd findings” that highlighted the campaign’s unusual code terminology.
Researchers named TriangleDB after the database terminology they observed being used throughout the code. Another curious aspect was how the spyware developers’ code referred to string decryption as “unmunging” and what that may mean. Kucherin told TechTarget Editorial that it’s common for malware developers to encrypt strings used in code to disguise them from analysts.
“While operating, the malware has to disguise these strings in order to use them. This process is commonly called ‘string decryption’, however, the developers of the TriangleDB code called it ‘string unmunging,'” Kucherin said. “This fact indicates that the developers use quite unusual terminology while referring to various functionalities of the spyware, however it remains unknown why they use such an obscure terminology.”
Expanding attack surface
In addition to odd terminology, researchers also discovered indications of a Mac version of this exploit. Kucherin said they are currently analyzing more components that could reveal additional details about the Mac version of spyware.
“While analyzing TriangleDB, we found that the class CRConfig (used to store the implant’s configuration) has a method named populateWithFieldsMacOSOnly,” the blog post stated. “This method is not called anywhere in the iOS implant; however, its existence means that macOS devices can also be targeted with a similar implant.”
Paul Ducklin, principal research scientist at Sophos, supported that finding in a blog post Thursday that addressed the risks posed by Operation Triangulation. Because Apple patched every system against the vulnerable kernel hole, Ducklin said, “it’s wise to assume” that if attackers discovered how to exploit the flaw on iOS, “they might already have a very good idea of how to extend their attack to other Apple platforms.”
Many aspects of the campaign led Ducklin to believe the attackers had prior knowledge of the zero-day exploits. For one, the zero-click exploit required no user interaction, plus the flaws could be triggered remotely over the internet.
Secondly, Ducklin said, Apple has security measures in place such as kernels that are intended to guard the devices from this type of attack.
“Usually, bypassing both Apple Store restrictions and app separation rules means finding some sort of kernel-level zero-day bug,” Ducklin wrote in the blog. “Therefore, pwning the kernel generally means the attackers get to sidestep many or most of the security controls on the device, resulting in the broadest and most dangerous sort of compromise.”
Kaspersky’s research remains ongoing and Kucherin said the vendor plans to release more information about the campaign in the future. As for attribution for Operation Triangulation, researchers are currently unable to link the attack to any existing threat actor.
Arielle Waldman is a Boston-based reporter covering enterprise security news.