Targeted attacks Operation Triangulation: the final mystery.
Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information and execute additional modules that extended their control over compromised devices.
In late December, in a presentation at the 37th Chaos Communication Congress, experts from our Global Research and Analysis Team described the attack chain in detail, including - for the first time - how the attackers exploited the CVE-2023-38606 hardware vulnerability.
Recent iPhone models include additional hardware-based security that prevents attackers from taking full control over the device even if they can read and write kernel memory - as was accomplished in the Operation Triangulation attack by exploiting the CVE-2023-32434 vulnerability.
The attackers were able to bypass this hardware-based security protection using another hardware feature of Apple-designed SoCs: they did this by writing the data, destination address and data hash to unknown hardware registers of the chip that are not used by the firmware.
Since it is not used by the firmware, we have no idea how the attackers learned to use it.
A lightweight method for detecting potential iOS malware.
Over the past few years, our researchers have analyzed Pegasus malware infections on several iOS devices.
The common methods for analyzing an iOS mobile infection are either to examine an encrypted full iOS backup or to analyze the network traffic of the affected device.
In early October 2023, after ESET published an article by about a campaign dubbed Operation Jacana targeting Windows users, we discovered a new Linux version of DinodasRAT. The code and networking IoCs overlap with the Windows samples described by ESET that were used in attacks against government entities in Guyana.
This RAT allows an attacker to surveil and harvest sensitive data from a target computer.
Recently, we found a new macOS malware family that was piggybacking the cracked software in order to steal crypto wallets.
Cracked applications are one of the easiest ways for attackers to get malware onto people's computers: to elevate their privileges, they only need to ask for the password, which usually arouses no suspicion during software installation.
Some of the things the malware authors came up with, such as placing their Python script inside a domain TXT record on the DNS server, were ingenious.
In a recent investigation, we came across new malware called Coyote that targets customers of more than 60 banking institutions, mainly from Brazil.
Network tunneling with QEMU. Cyber attackers often use legitimate tools to evade detection systems and keep development costs to a minimum.
To gain a foothold inside a compromised infrastructure and develop the attack, adversaries can use previously installed malware or connect to the network through the company's RDP servers or corporate VPN. Another way to connect to the internal network of an attacked organization is to use utilities to set up network tunnels or forward network ports between corporate systems and the adversary's servers, allowing attackers to bypass NAT and firewalls to gain access to internal systems.
While others use a proxy, which hides the IP address of the attacker's server.
We analyzed the artifacts and found that the adversary had deployed and launched the Angry IP Scanner network scanning utility, the Mimikatz password, hash, and Kerberos ticket extractor and Active Directory attack tool, and the QEMU hardware emulator.
While the use of legitimate tools to perform various attack steps is nothing new to incident response professionals, attackers sometimes come up with ingenious uses for unlikely software, as was the case with QEMU. This underscores the need for multi-level protection that includes both reliable endpoint protection and specialized solutions to detect and protect against complex and targeted attacks, including human-operated ones.
This Cyber News was published on securelist.com. Publication date: Mon, 03 Jun 2024 10:13:05 +0000