'Operation Triangulation' Spyware Attackers Bypass iPhone Memory Protections
The Operation Triangulation attacks are abusing undocumented functions in Apple chips to circumvent hardware-based security measures.
December 29, 2023
A previously undocumented hardware feature within Apple's iPhone System on a Chip (SoC) allows for exploitation of multiple vulnerabilities, eventually letting attackers bypass hardware-based memory protection.
The vulnerability plays a central role in the sophisticated advanced persistent threat (APT) "Operation Triangulation" zero-click campaign, according to a report from Kaspersky's Global Research and Analysis Team (GReAT).
The Operation Triangulation iOS cyberespionage spy campaign has existed since 2019 and has utilized multiple vulnerabilities as zero-days to bypass security measures in iPhones, posing a persistent risk to users' privacy and security. Targets have included Russian diplomats and other officials there, as well as private enterprises such as Kaspersky itself.
In June, Kaspersky released a report offering additional details on the TriangleDB spyware implant used in the campaign, highlighting numerous unique capabilities, for example disabled features that could be deployed in the future.
This week, the team presented their most recent findings at the 37th Chaos Communication Congress in Hamburg, Germany, calling it "the most sophisticated attack chain" they had yet seen being used in the operation.
The zero-click assault is directed at the iPhone's iMessage app, aimed at iOS versions up to iOS 16.2. When it was first seen, it was exploiting four zero-days with intricately structured layers of attack.
Inside the "Operation Triangulation" Zero-Click Mobile Attack
The attack begins innocently as malicious actors send an iMessage attachment, exploiting the remote code execution (RCE) vulnerability CVE-2023-41990.
This exploit targets the undocumented ADJUST TrueType font instruction exclusive to Apple, existing since the early nineties before a subsequent patch.
The attack sequence then delves deeper, leveraging return/jump oriented programming and NSExpression/NSPredicate query language stages to manipulate the JavaScriptCore library.
The attackers have embedded a privileged escalation exploit in JavaScript, carefully obfuscated to conceal its content, which spans approximately 11,000 lines of code.
This intricate JavaScript exploit maneuvers through JavaScriptCore’s memory and executes native API functions by exploiting the JavaScriptCore debugging feature DollarVM ($vm).
Exploiting an integer overflow vulnerability tracked as CVE-2023-32434 within XNU's memory mapping syscalls, the attackers then gain unprecedented read/write access to the device’s physical memory at a user level.
Furthermore, they adeptly bypass the Page Protection Layer (PPL) using hardware memory-mapped I/O (MMIO) registers, a concerning vulnerability exploited as a zero-day by the Operation Triangulation group but eventually addressed as CVE-2023-38606 by Apple.
Upon penetrating the device's defenses, the attackers exercise selective control by initiating the IMAgent process, injecting a payload to clear any exploitation traces.
Subsequently, they initiate an invisible Safari process redirected to a Web page housing the next stage of the exploit.
The Web page performs victim verification and, upon successful authentication, triggers a Safari exploit, using CVE-2023-32435 to execute a shellcode.
This shellcode activates yet another kernel exploit in the form of a Mach object file, leveraging two of the same CVEs used in prior stages (CVE-2023-32434 and CVE-2023-38606).
Once obtaining root privileges, the attackers orchestrate additional stages, eventually installing spyware.
A Growing Sophistication in iPhone Cyberattacks
The report noted the intricate, multistage attack presents an unprecedented level of sophistication, exploiting varied vulnerabilities across iOS devices and elevating concerns over the evolving landscape of cyber threats.
Boris Larin, principal security researcher Kaspersky, explains that the new hardware vulnerability is possibly based on the principle of "security through obscurity," and may have been intended for testing or debugging.
"Following the initial zero-click iMessage attack and subsequent privilege escalation, the attackers leveraged the feature to bypass hardware-based security protections and manipulate the contents of protected memory regions," he says. "This step was crucial for obtaining full control over the device."
He adds that as far as the Kaspersky team is aware, this feature had not been publicly documented, and it’s not used by the firmware, presenting a significant challenge in its detection and analysis using conventional security methods.
"If we are talking about iOS devices, due to the closed nature of these systems, it’s really hard to detect such attacks," Larin says. "The only detection methods available for these are to perform a network traffic analysis and forensic analysis of device backups made with iTunes."
He explains that in contrast, desktop and laptop macOS systems are more open and so, more effective detection methods are available for these.
"On these devices it’s possible to install endpoint detection and response (EDR) solutions that can help to detect such attacks," Larin notes.
He recommends that security teams update their operating system, applications, and antivirus software regularly; patch any known vulnerabilities; and provide their SOC teams with access to the latest threat intelligence.
Larin adds: "Implement EDR solutions for endpoint-level detection, investigation, and timely remediation of incidents, reboot daily to disrupt persistent infections, disable iMessage and Facetime to reduce zero-click exploit risks, and promptly install iOS updates to guard against known vulnerabilities."
About the Author
You May Also Like