The Operation Triangulation attacks are abusing undocumented functions in Apple chips to circumvent hardware-based security measures.
A previously undocumented hardware feature within Apple's iPhone System on a Chip allows for exploitation of multiple vulnerabilities, eventually letting attackers bypass hardware-based memory protection.
The Operation Triangulation iOS cyberespionage spy campaign has existed since 2019 and has utilized multiple vulnerabilities as zero-days to bypass security measures in iPhones, posing a persistent risk to users' privacy and security.
Targets have included Russian diplomats and other officials there, as well as private enterprises such as Kaspersky itself.
In June, Kaspersky released a report offering additional details on the TriangleDB spyware implant used in the campaign, highlighting numerous unique capabilities, for example disabled features that could be deployed in the future.
The zero-click assault is directed at the iPhone's iMessage app, aimed at iOS versions up to iOS 16.2.
When it was first seen, it was exploiting four zero-days with intricately structured layers of attack.
Inside the 'Operation Triangulation' Zero-Click Mobile Attack The attack begins innocently as malicious actors send an iMessage attachment, exploiting the remote code execution vulnerability CVE-2023-41990.
This exploit targets the undocumented ADJUST TrueType font instruction exclusive to Apple, existing since the early nineties before a subsequent patch.
The attack sequence then delves deeper, leveraging return/jump oriented programming and NSExpression/NSPredicate query language stages to manipulate the JavaScriptCore library.
The attackers have embedded a privileged escalation exploit in JavaScript, carefully obfuscated to conceal its content, which spans approximately 11,000 lines of code.
This intricate JavaScript exploit maneuvers through JavaScriptCore's memory and executes native API functions by exploiting the JavaScriptCore debugging feature DollarVM. Exploiting an integer overflow vulnerability tracked as CVE-2023-32434 within XNU's memory mapping syscalls, the attackers then gain unprecedented read/write access to the device's physical memory at a user level.
They adeptly bypass the Page Protection Layer using hardware memory-mapped I/O registers, a concerning vulnerability exploited as a zero-day by the Operation Triangulation group but eventually addressed as CVE-2023-38606 by Apple.
Upon penetrating the device's defenses, the attackers exercise selective control by initiating the IMAgent process, injecting a payload to clear any exploitation traces.
Subsequently, they initiate an invisible Safari process redirected to a Web page housing the next stage of the exploit.
The Web page performs victim verification and, upon successful authentication, triggers a Safari exploit, using CVE-2023-32435 to execute a shellcode.
This shellcode activates yet another kernel exploit in the form of a Mach object file, leveraging two of the same CVEs used in prior stages.
Once obtaining root privileges, the attackers orchestrate additional stages, eventually installing spyware.
A Growing Sophistication in iPhone Cyberattacks The report noted the intricate, multi-stage attack presents an unprecedented level of sophistication, exploiting varied vulnerabilities across iOS devices and elevating concerns over the evolving landscape of cyber threats.
He recommends that security teams update their operating system, applications, and antivirus software regularly; patch any known vulnerabilities; and provide their SOC teams with access to the latest threat intelligence.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 29 Dec 2023 16:21:34 +0000