New details on attacks on iOS devices

He Kaspersky Global Research and Analysis Team (GReAT) reveals new details about Operation Triangulation, which became famous for infecting iOS devices. The new information includes exploited vulnerabilities in the iOS system, as well as exploits designed for this attack, which affected both Kaspersky and other organizations.

In the middle of the year, Kaspersky discovered an ongoing threat campaign advanced (APT) intended for iOS devices. Dubbed ‘Operation Triangulation’, this campaign uses a sophisticated exploit distribution method via iMessage that requires no user interaction to carry out the infection and ultimately take full control of the victim’s device and data.

Due to the complexity of the attack i the closed nature of the iOS ecosystem, the task force devoted a significant amount of time and resources to perform detailed technical analysis. The final report shows that the cyberattack exploited five vulnerabilities in iOS, four of which were classified as unknown (zero-day), all of which were patched after Kaspersky analysts provided them to Apple.

The company’s experts identified the first entry point through a library vulnerability source processing. Another extremely powerful and exploitable vulnerability in the memory mapping code allowed access to the device’s physical memory. Additionally, attackers exploited two other vulnerabilities to bypass the latest security features of Apple’s processor hardware.

Analysts also found that, in addition to being able to remotely infect Apple devices via iMessage without user interaction, cybercriminals also have a platform to carry out attacks via Safari browser. This led to the discovery and patching of the fifth vulnerability.

The Apple team has officially announced security updates that address four zero-day vulnerabilities discovered by Kaspersky analysts (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990). These vulnerabilities affect a wide range of Apple products, including the iPhone, iPod, iPad, macOS devices, Apple TV and Apple Watch.

“Apple’s concern for the security of its mobile devices is commendable, but Operation Triangulation research serves as a reminder that there is no such thing as invulnerable security. Organizations should exercise caution when handling files included in iMessage and be alert to new discoveries to know how to protect themselves from the latest threats. It is worth remembering that the attack described in this investigation was not limited to Kaspersky. We even recorded attacks in Latin America, which makes this report very relevant to
region,” emphasizes Fabio Assolini, director Analysis and research for Latin America at Kaspersky.

Along with the publication of the report and the development of a specialized utility, GReAT experts have established an e-mail address so that anyone interested can contribute to the research. As a result, several victims contacted the company’s analysts, who provided them with the necessary guidance to improve their security. At Kaspersky, the attack targeted mid- and high-level executives as well as researchers based in Russia, Europe and the META region (Middle East, Turkey and Africa).

“Protecting systems against advanced cyberattacks is not easy, and this task is even more difficult in closed systems, such as iOS. Therefore, it is extremely important to apply multi-layered security measures detect and prevent possible infections“, recommends Assolini.

To avoid becoming a victim of a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend the application of the following
measures:
● Update your operating system, applications, and antivirus software regularly to patch any known vulnerabilities.
● Be wary of emails, messages or calls that ask for confidential information, and verify the sender’s identity before sharing personal information or clicking on suspicious links.
● Provide the SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal provides data on cyber attacks and insights collected by Kaspersky for more than 20 years.
● Update the cyber security team to respond to the latest cyber threats with Kaspersky online training developed by GReAT experts.

● For endpoint-level incident detection, analysis and remediation, implement EDR solutions such as Kaspersky endpoint detection and response.