CyberSecurityBoard
Sponsor Register Login

Operation Triangulation: The last mystery

After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device including running spyware, but the attackers chose to: launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; run a Safari process in invisible mode and forward it to a web page with the next stage.
The web page has a script that verifies the victim and, if the checks pass, receives the next stage: the Safari exploit.
The Safari exploit uses CVE-2023-32435 to execute a shellcode.
The shellcode executes another kernel exploit in the form of a Mach object file.
The exploit obtains root privileges and proceeds to execute other stages, which load spyware.
We are almost done reverse-engineering every aspect of this attack chain, and we will be releasing a series of articles next year detailing each vulnerability and how it was exploited.
While analyzing the exploit used in the Operation Triangulation attack, I discovered that most of the MMIOs used by the attackers to bypass the hardware-based kernel memory protection do not belong to any MMIO ranges defined in the device tree.
The exploit targets Apple A12-A16 Bionic SoCs, targeting unknown MMIO blocks of registers that are located at the following addresses: 0x206040000, 0x206140000, and 0x206150000.
Let us take a look at how they correlate with the regions used by the exploit.
Correlation of the gfx-asc MMIO ranges and the addresses used by the exploit.
To be more precise, the exploit uses the following unknown addresses: 0x206040000, 0x206140008, 0x206140108, 0x206150020, 0x206150040, and 0x206150048.
Pseudocode for the GFX power manager control code from the exploit.
It is touched only during the initialization and finalization stages of the exploit: it is the first register to be set during initialization and the last one, during finalization.
From my experience, it was clear that the register either enabled/disabled the hardware feature used by the exploit or controlled interrupts.
Below, you can see the reverse-engineered code of the exploit that I was able to recognize.
Pseudocode for the usage of the, 0x206040000 register by the exploit.
Let us look at the remaining unknown registers used by the exploit.
The registers 0x206140008 and 0x206140108 control enabling/disabling and running the hardware feature used by the exploit.
Pseudocode for the usage of the 0x206140008 and 0x206140108 registers by the exploit.
Pseudocode for the usage of the 0x206150040 and 0x206150048 registers by the exploit.


This Cyber News was published on securelist.com. Publication date: Wed, 27 Dec 2023 14:13:05 +0000


Cyber News related to Operation Triangulation: The last mystery

'Operation Triangulation' Spyware Attackers Bypass iPhone Memory Protections - The Operation Triangulation attacks are abusing undocumented functions in Apple chips to circumvent hardware-based security measures. A previously undocumented hardware feature within Apple's iPhone System on a Chip allows for exploitation of ...
1 year ago Darkreading.com
Malware report Q1 2024 - Targeted attacks Operation Triangulation: the final mystery. Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to ...
8 months ago Securelist.com
The law enforcement operations targeting cybercrime in 2023 - In 2023, we saw numerous law enforcement operations targeting cybercrime operations, including cryptocurrency scams, phishing attacks, credential theft, malware development, and ransomware attacks. While some of these operations were more successful ...
1 year ago Bleepingcomputer.com
iPhone Triangulation attack abused undocumented hardware feature - The Operation Triangulation spyware attacks targeting iPhone devices since 2019 leveraged undocumented features in Apple chips to bypass hardware-based security protections. This finding comes from Kaspersky analysts who have been reverse-engineering ...
1 year ago Bleepingcomputer.com
Operation Triangulation: The last mystery - After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device including running spyware, but the attackers chose to: launch the IMAgent process and inject a payload that clears the exploitation artefacts from ...
1 year ago Securelist.com
FBI disrupts Blackcat ransomware operation, creates decryption tool - The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka ...
1 year ago Bleepingcomputer.com
iPhone 0-click spyware campaign 'Triangulation' detailed - Months after blowing the whistle on a sophisticated campaign that dropped full-featured spyware onto iPhones, researchers have disclosed more about the attack's complex exploit chain that abused four separate vulnerabilities. Among the finding are ...
1 year ago Packetstormsecurity.com
Apple issued another patch to stop TriangleDB cyber snooping The Register - Apple pushed several security fixes on Wednesday, including one for all iPhone and iPads used before September last year that has already been exploited by cyber snoops. The vulnerability, tracked as CVE-2023-32434, "May have been actively exploited ...
1 year ago Theregister.com
CVE-2024-53169 - In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: fix kernel crash while shutting down controller The nvme keep-alive operation, which executes at a periodic interval, could potentially sneak in while shutting down a ...
1 month ago Tenable.com
LockBit ransomware now poaching BlackCat, NoEscape affiliates - The LockBit ransomware operation is now recruiting affiliates and developers from the BlackCat/ALPHV and NoEscape after recent disruptions and exit scams. Last week, the NoEscape and the BlackCat/ALPHV ransomware operation's Tor websites suddenly ...
1 year ago Bleepingcomputer.com
Russian Cyberattackers Launch Multiphase PsyOps Campaign - Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe. The ...
11 months ago Darkreading.com
CVE-2024-53102 - In the Linux kernel, the following vulnerability has been resolved: nvme: make keep-alive synchronous operation The nvme keep-alive operation, which executes at a periodic interval, could potentially sneak in while shutting down a fabric controller. ...
2 months ago Tenable.com
ALPHV ransomware site outage rumored to be caused by law enforcement - A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang's websites over the last 30 hours. The ALPHV negotiation and data leak sites suddenly became unavailable yesterday and continue to remain down today. ...
1 year ago Bleepingcomputer.com
'Operation Endgame' Hits Malware Delivery Platforms - Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. A frame from one of three ...
8 months ago Krebsonsecurity.com
Law enforcement agencies arrest 4 alleged LockBit members | TechTarget - Authorities arrested four suspected members of the LockBit ransomware gang during the third phase of the international law enforcement effort dubbed Operation Cronos. Operation Cronos' efforts to disrupt the LockBit ransomware gang continue as ...
4 months ago Techtarget.com
Lost and found: How to locate your missing devices and more - Physical trackers are small, circular or square-shaped objects that use simple replaceable batteries to remain charged for a long time. For travelers going around with luggage on trains and planes, there have been times when they come in really handy ...
1 year ago Welivesecurity.com
Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit - For all its vaunted success, the LockBit ransomware operation appears to have already been beset by problems when an international law enforcement effort led by the UK's National Crime Agency shut it down this week. Though it's likely that the dozens ...
11 months ago Darkreading.com
FBI: Royal ransomware asked 350 victims to pay $275 million - The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022. In an update to the original advisory published in March with additional information ...
1 year ago Bleepingcomputer.com
Toronto Public Library outages caused by Black Basta ransomware attack - The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack. The Toronto Public Library is Canada's largest public library system, giving access to 12 million books through 100 branch libraries across ...
1 year ago Bleepingcomputer.com
Ragnar Locker ransomware developer arrested in France - Law enforcement agencies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the group's dark web sites in a joint international operation. Authorities from France, the Czech Republic, Germany, Italy, Latvia, the ...
1 year ago Bleepingcomputer.com
How the FBI seized BlackCat ransomware's servers - An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs. Today, the US Department of Justice confirmed that they seized websites for the ALPHV ransomware ...
1 year ago Bleepingcomputer.com
Interpol operation arrests 3,500 cybercriminals, seizes $300 million - An international law enforcement operation codenamed 'Operation HAECHI IV' has led to the arrest of 3,500 suspects of various lower-tier cybercrimes and seized $300 million in illicit proceeds. The South Korean authorities led HAECHI operations and ...
1 year ago Bleepingcomputer.com
Police arrested four new individuals linked to the LockBit ransomware operation - “Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure.” reads the press release published by ...
4 months ago Securityaffairs.com
Global law enforcement seizes $300 million, arrests 3,500 involved in transnational cybercrime operation - A transnational cybercrime operation was taken down this week after law enforcement agencies from 34 countries coordinated on nearly 3,500 arrests and the seizure of about $300 million in stolen funds. According to Interpol, law enforcement agencies ...
1 year ago Therecord.media
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
10 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)