Months after blowing the whistle on a sophisticated campaign that dropped full-featured spyware onto iPhones, researchers have disclosed more about the attack's complex exploit chain that abused four separate vulnerabilities.
Among the finding are that the zero-click attacks took advantage of a flaw in an undocumented Apple hardware security feature.
This enabled attackers to manipulate the contents of secure memory, and ultimately gain full control of iPhones, and potentially other Apple devices.
Kaspersky presented its findings at the 37th Chaos Communications Congress in Hamburg, Germany, on Dec. 27 and, on the same day, its Global Research and Analysis Team published a research post outlining its discoveries.
The vulnerability, tracked as CVE-2023-38606, has since been patched by Apple, as have the three other bugs in the Operation Triangulation exploit chain: CVE-2023-41990, CVE-2023-32434, and CVE-2023-32435.
The Operation Triangulation attacks began with the threat actors sending a malicious iMessage containing an attachment to the target iPhone which was processed without the user being aware of it.
The iMessage attachment exploited CVE-2023-41990, a remote code execution vulnerability in the Apple-only ADJUST TrueType font instruction.
Once the exploit chain was complete, and the spyware was installed, the attackers had complete control of their target's device, allowing them to carry out a range of espionage activities including transmitting the phone's contents to their servers.
Although the spyware was wiped when the phone was rebooted, that did not stop the attackers reloading the malware and taking control of the device again.
Kaspersky discovered the malware was designed to work on MacOS devices, IPads, Apple TVs and Apple Watches as well as iPhones.
CoreSight is the debug-and-trace architecture used by chipmaker ARM, an apple supplier.
This Cyber News was published on packetstormsecurity.com. Publication date: Thu, 28 Dec 2023 16:13:05 +0000