The company's experts found vulnerabilities in iOS and exploits underlying the incident.
Experts from the Kaspersky Lab Global Center for Threat Research and Analysis (GReAT) at the Security Analyst Summit (SAS) conference revealed the details of the Triangulation Operation analysis . They described the methods of attack research that identified vulnerabilities in iOS and exploits underlying the incident. Experts also shared data on tools that helped them explore the closed operating system and overcome the defense mechanisms of opponents in order to analyze all stages of the campaign.
Recall that in the summer, Kaspersky Lab reported on the Operation Triangulation APT campaign affecting iOS devices. The attackers used a sophisticated method of distributing exploits via iMessage, which did not require active actions from users. As a result, attackers gained full control over the device and user data. According to GReAT, the main target of the attackers was espionage.
At the SAS conference, Kaspersky Lab specialists presented technical details of a multi-month analysis that revealed an attack chain with five vulnerabilities, four of which were previously unknown zero-day vulnerabilities. The initial entry point was a vulnerability in the font processing library, and the second one was in the memory mapping code (extremely dangerous and easy to exploit). The vulnerability allowed access to the device's physical memory.
Two more vulnerabilities were exploited by attackers to bypass the latest hardware protection tools for the Apple processor. It also turned out that, in addition to the ability to remotely infect iOS devices via iMessage, the attackers had a platform for performing attacks through the Safari web browser. Thanks to this, it was possible to detect and fix the fifth of the vulnerabilities.
Following a notification from Kaspersky Lab, Apple has released security updates that address four zero-day vulnerabilities discovered by GReAT researchers (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990). The vulnerabilities affected a large number of Apple products, including iPhones, iPods, iPads, Mac OS devices, Apple TV, and Apple Watch.
To identify vulnerabilities and understand the actions of attackers, Kaspersky Lab specialists had to show ingenuity, in particular, to develop methods to bypass the encryption of intruders. The task was complicated by the closeness of iOS. For example, to extract an attachment from iMessage-the beginning of the infection chain-you had to get an encrypted text and an AES encryption key. The first component was obtained by intercepting traffic to iCloud servers via mitmproxy. You couldn't do the same with the key, because it is sent over the iMessage protocol. Therefore, experts have come up with a way to disrupt the process of downloading the encrypted text of the attachment, so that the key is stored in the SMS.db database. To do this, they changed a few bytes in the ciphertext using the mitmproxy add-on, and then downloaded a backup copy of iTunes from the infected device (they were used instead of full device images) and extracted the key from the database it contained.
The company noted that the hardware protection in the new Apple chips significantly improves the resistance of devices to cyber attacks, but does not make them completely invulnerable. The Triangulation operation serves as a reminder of the importance of being careful with iMessage attachments from unknown sources. The results obtained can be useful for countering such attacks, as well as for finding a balance between the system's closeness and accessibility for researchers.
Experts from the Kaspersky Lab Global Center for Threat Research and Analysis (GReAT) at the Security Analyst Summit (SAS) conference revealed the details of the Triangulation Operation analysis . They described the methods of attack research that identified vulnerabilities in iOS and exploits underlying the incident. Experts also shared data on tools that helped them explore the closed operating system and overcome the defense mechanisms of opponents in order to analyze all stages of the campaign.
Recall that in the summer, Kaspersky Lab reported on the Operation Triangulation APT campaign affecting iOS devices. The attackers used a sophisticated method of distributing exploits via iMessage, which did not require active actions from users. As a result, attackers gained full control over the device and user data. According to GReAT, the main target of the attackers was espionage.
At the SAS conference, Kaspersky Lab specialists presented technical details of a multi-month analysis that revealed an attack chain with five vulnerabilities, four of which were previously unknown zero-day vulnerabilities. The initial entry point was a vulnerability in the font processing library, and the second one was in the memory mapping code (extremely dangerous and easy to exploit). The vulnerability allowed access to the device's physical memory.
Two more vulnerabilities were exploited by attackers to bypass the latest hardware protection tools for the Apple processor. It also turned out that, in addition to the ability to remotely infect iOS devices via iMessage, the attackers had a platform for performing attacks through the Safari web browser. Thanks to this, it was possible to detect and fix the fifth of the vulnerabilities.
Following a notification from Kaspersky Lab, Apple has released security updates that address four zero-day vulnerabilities discovered by GReAT researchers (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990). The vulnerabilities affected a large number of Apple products, including iPhones, iPods, iPads, Mac OS devices, Apple TV, and Apple Watch.
To identify vulnerabilities and understand the actions of attackers, Kaspersky Lab specialists had to show ingenuity, in particular, to develop methods to bypass the encryption of intruders. The task was complicated by the closeness of iOS. For example, to extract an attachment from iMessage-the beginning of the infection chain-you had to get an encrypted text and an AES encryption key. The first component was obtained by intercepting traffic to iCloud servers via mitmproxy. You couldn't do the same with the key, because it is sent over the iMessage protocol. Therefore, experts have come up with a way to disrupt the process of downloading the encrypted text of the attachment, so that the key is stored in the SMS.db database. To do this, they changed a few bytes in the ciphertext using the mitmproxy add-on, and then downloaded a backup copy of iTunes from the infected device (they were used instead of full device images) and extracted the key from the database it contained.
The company noted that the hardware protection in the new Apple chips significantly improves the resistance of devices to cyber attacks, but does not make them completely invulnerable. The Triangulation operation serves as a reminder of the importance of being careful with iMessage attachments from unknown sources. The results obtained can be useful for countering such attacks, as well as for finding a balance between the system's closeness and accessibility for researchers.
