A hardware feature present in an Apple system-on-a-chip was abused to successfully bypass protections and take over devices in attacks targeting the iPhones of dozens of Kaspersky senior employees earlier this year, the Russian cybersecurity vendor reports.
As part of the attacks, which are referred to as 'Operation Triangulation', multiple iOS zero-day vulnerabilities were exploited to execute code and install spyware on the target devices.
Dubbed TriangleDB, the spyware implant was designed to be as stealthy as possible, with the infection chain involving multiple checks and log-erasing actions to prevent the malware's identification.
Apple released patches for three of the exploited vulnerabilities in June and July, noting that they could only be exploited in attacks against iOS versions before iOS 15.7.
Previously, Kaspersky explained that the attacks employed malicious iMessage attachments that would exploit a remote code execution zero-day and deploy TriangleDB without user interaction.
Two other zero-day flaws were also exploited as part of the infection chain, including an RCE issue in Apple-only ADJUST TrueType font instruction and a bypass of hardware-based security protections.
The exploited feature, the cybersecurity firm says, was likely intended for debugging purposes or might have been included by error, as it is undocumented and unknown.
The MMIO registers used in the attack do not belong to the known MMIO ranges of peripheral devices in Apple products that are defined and stored in the special file format called DeviceTree.
In June, on the same day that Kaspersky disclosed the iOS zero-click attacks, Russia's Federal Security Service blamed the US National Security Agency for a spy campaign targeting thousands of iOS devices.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 28 Dec 2023 12:13:05 +0000