On Wednesday, Apple announced a comprehensive series of updates for its iOS, iPadOS, macOS, watchOS, and Safari browser, addressing vulnerabilities that were stated to be actively exploited in the wild. Among these updates are two critical zero-day flaws involved in a mobile surveillance effort dubbed Operation Triangulation, which has been operational since 2019. The specific actors behind this campaign remain unidentified.
Two significant vulnerabilities have been highlighted. The first, tracked as CVE-2023-32434, is an integer overflow flaw in the kernel, enabling malicious applications to execute arbitrary code with elevated privileges. The second, identified as CVE-2023-32435, involves memory corruption in WebKit, which could also allow for arbitrary code execution when processing specially crafted web content. Apple has acknowledged that these vulnerabilities may have been actively exploited in versions prior to iOS 15.7, with acknowledgment going to Kaspersky researchers for their discovery.
New insights from Kaspersky reveal that the spyware involved in the zero-click attack campaign targeted iOS devices through iMessages carrying a malicious attachment, exploiting a kernel remote code execution vulnerability to gain system access. The exploit not only enables the installation of a backdoor but also initiates the download of additional components to secure root access on the compromised device. Furthermore, the initial iMessage is deleted to obscure traces of the attack.
The sophisticated implant, known as TriangleDB, operates exclusively in memory, resulting in no residual traces following a device reboot. Its functionalities encompass extensive data collection and tracking capabilities, allowing adversaries to interact with the device’s file system, manage processes, extract credentials, and monitor the victim’s geolocation, among other actions.
Kaspersky has released a utility called “triangle_check” to assist organizations in scanning iOS device backups for signs of compromise related to this surveillance campaign. Additionally, Apple has addressed another zero-day vulnerability, CVE-2023-32439, which could lead to arbitrary code execution via malicious web content, stemming from a type confusion issue in WebKit. Enhanced checks have been implemented to mitigate the risk of exploitation.
The updates, which have rectified multiple incidents of active exploitation, are available for the following platforms: iOS 16.5.1 and iPadOS 16.5.1, impacting a range of devices including iPhone 8 and later, iPad Pro models, and iPad Air 3rd generation and beyond. Users with older devices can update to versions like iOS 15.7.7 and iPadOS 15.7.7, as well as macOS Ventura 13.4.1, Monterey 12.6.7, and Big Sur 11.7.8, which collectively address these vulnerabilities.
This recent patch cycle brings Apple’s tally to nine zero-day vulnerabilities resolved since the beginning of the year. Previous months’ updates have addressed critical WebKit vulnerabilities that could facilitate remote code execution and elevate privileges for malicious actors.
As businesses navigate an increasingly fraught cybersecurity landscape, awareness and timely updates are paramount in safeguarding sensitive data and maintaining operational integrity. The current situation underscores the importance of vigilance against evolving threats, utilizing frameworks like the MITRE ATT&CK Matrix to understand possible attack methods such as initial access, privilege escalation, and persistence mechanisms that may have been employed in these incidents.
