Operation “Triangulation”: 4-year campaign that backdoored iPhones

At the 37th Chaos Communication Congress, three researchers from Kaspersky revealed a sophisticated attack called Operation Triangulation that targeted iPhones, including those owned by Kaspersky employees. The attack exploited a hidden iPhone feature unknown to most, showcasing the advanced technical abilities of the attackers. Kaspersky is still investigating how the attackers discovered this secretive feature.

What happened?

Some sneaky attacks hit iPhones for years, and Kaspersky researchers found some big mysteries. These attacks used four secret ways into iPhones, Macs, iPads, and more. These were severe problems that the attackers knew about before Apple did. But don’t worry—Apple fixed all four sneaky ways into their devices. They’re known as:

  • CVE-2023-41990: A vulnerability in the ADJUST TrueType font instruction allowing remote code execution through a malicious iMessage attachment.
  • CVE-2023-32434: An integer overflow issue in XNU’s memory mapping syscalls, granting attackers extensive read/write access to the device’s physical memory.
  • CVE-2023-32435: Used in the Safari exploit to execute shellcode as part of the multi-stage attack.
  • CVE-2023-38606: A vulnerability using hardware MMIO registers to bypass the Page Protection Layer (PPL), overriding hardware-based security protections.

They even used a hidden iPhone feature that hardly anyone knew about! Nobody knows what this secret feature does or where it came from. The attackers sent harmful messages without needing anyone to click on them. Once in, they loaded spyware that could grab recordings, photos, and even locations from iPhones.

Indicators of Compromise:

In the aftermath of Operation Triangulation, it’s evident the attackers were incredibly careful to evade detection. They used tricks like stopping microphone recording when the screen was in use and switched to alternative location tracking methods if GPS wasn’t available. They showed a deep understanding of Apple’s systems, using hidden tools and even targeting older iOS versions, suggesting this scheme might have been in play for quite a while.

The sophisticated Operation Triangulation attack deployed several stealthy components, leaving behind indicators of compromise (IoCs) that can aid detection.

 

Keychain Module

MD5: 527bb38d4716c019b65da64d0f851a70

SHA-1: a468613d31c90ac94bbd313bc70c5c6638c91603

SHA-256: 64f36b0b8ef62634a3ec15b4a21700d32b3d950a846daef5661b8bbca01789dc

 

Location Module

MD5: da5d3c0d3ad8df77ff6f331066636e42

SHA-1: a5a93e8d48fdef8c02066b9020445b50ebc81a8f

SHA-256: 7e779a019f250d8cec9761d1230296236a8b714743df42c49ce8daf818d542e7

 

SMS-Stealing Module

MD5: adb9e4b7a75eccc37f6941a5cbc7685b

SHA-1: 6e9cd17fcc8b14cc860ce980c5e919494a10eec9

SHA-256: c2393fceab76776e19848c2ca3c84bea0ed224ac53206c48f1c5fd525ef66306

 

Microphone Module

MD5: ac2444e7f7b0a4b084ad8c9ae8ac26c8

SHA-1: 10509067ba5d9d985e932ea77f089491dee1611d

SHA-256: ff2f223542bbc243c1e7c6807e4c80ddad45005bcd78a77f8ec91de29deb2f6e

 

These IoCs signify elements of the attack that may be present in compromised systems. Identifying and analyzing these markers can aid in uncovering traces of the Triangulation attack and help in mitigating its impact.

 

Attack Chain:

The Operation Triangulation attack chain exploited multiple zero-day vulnerabilities in iOS, employing a complex series of steps:

  1. Malicious iMessage Attachment: Attackers sent an iMessage attachment triggering a remote code execution vulnerability (CVE-2023-41990) in an Apple-only ADJUST TrueType font instruction.
  2. Exploitation Sequence: It leveraged JavaScript exploits, obfuscated with around 11,000 lines of code, to manipulate JavaScriptCore’s memory and execute native API functions.
  3. Multiple Vulnerabilities: Exploited additional weaknesses including CVE-2023-32434 (XNU memory mapping syscalls), CVE-2023-32435 (Safari exploit), and CVE-2023-38606 (bypassing Page Protection Layer).
  4. Advanced Exploits: Utilized hardware memory-mapped I/O (MMIO) registers to bypass security layers, gaining read/write access to the device’s physical memory at the user level.
  5. Payload and Actions: With full device control, the attackers managed to launch processes, clear exploitation traces, execute Safari in invisible mode, and forward it to a controlled web page for further exploit stages.

Investigating CVE-2023-38606

In their exploration of the CVE-2023-38606 vulnerability, researchers uncovered a novel exploit used by attackers on recent iPhone models. This exploit allowed the circumvention of robust hardware-based security measures guarding critical kernel memory areas. By leveraging an obscure hardware feature within Apple-designed SoCs, attackers managed to write data to a specific physical address while evading the device’s memory protections. This feature, seemingly intended for testing or debugging during device production but left unused by the firmware, puzzles researchers regarding the attackers’ knowledge of its existence and how they used it.

Conclusion

In a super tricky move, sneaky attackers found secret ways into iPhones, Macs, and iPads that even Apple didn’t know about. Kaspersky experts found these four sneaky ways attackers got in and nabbed secret info: an iMessage trick, a memory problem, a Safari issue, and a special hardware trick. These attackers even used a hidden iPhone thing that nobody knew about to send harmful messages without anyone needing to click on them! But don’t worry, Apple fixed all these sneaky ways in their devices. The attackers were super sneaky, stopping the microphone when the screen was used and finding new ways to track locations if GPS wasn’t there. They really knew Apple’s stuff well and aimed at old iPhone versions too, meaning they might have been up to this trick for a long time. Now experts are digging into all these clues left behind to find and stop these kinds of sneaky attacks in the future.