Cybersecurity firm Kaspersky says it is investigating “previously unknown” malware targeting the company’s own employee’s Apple iOS devices that can compromise devices via the iMessage service with an attachment without any user interaction.
According to Kaspersky, the message triggers a vulnerability that leads to code execution, and the code within the exploit downloads several subsequent stages from the command-and-control server that include additional exploits for privilege escalation.
After successful exploitation, a final payload is downloaded from the C&C server, which Kaspersky calls a “fully featured APT platform.” The initial message and the exploit in the attachment is then deleted.
How Kaspersky discovered the exploit
Researchers for Kaspersky, which is the subject of a federal government ban and potential enforcement actions due to its alleged ties to the Russian government, say the company was monitoring network traffic of its own corporate WiFi network dedicated for mobile devices when they noticed suspicious activity coming from iOS devices.
“Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise,” researchers say.
The company says its mobile device backups provided a partial copy of the filesystem, including some user data and service databases. Timestamps of files, folders and the database records helped the company reconstruct the events leading to compromise.
According to Kaspersky, the malicious toolset does not support persistence, likely due to the limitations of the operating system.
Based on timelines of infected devices, devices may be reinfected after being rebooted.
The oldest traces of infection discovered by researchers happened in 2019, and the attack is ongoing, as the most recent version of devices successfully targeted is iOS15.7, which was released in September 2022.
While analysis of the final payload is not finished yet, Kaspersky researchers say the code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.
Disabling iMessage would prevent iOS devices from compromise, the company says.
The vulnerabilities used, while not disclosed in the Kaspersky blog, were apparently zero days before they were patched in February.
Who is behind these attacks?
Kaspersky (neither the company nor the CEO of the same name) did not attribute the attacks to any specific group, but Russia’s Federal Security Service (FSB) in a separate statement (which didn’t specifically mention the Kaspersky report) accused the U.S. National Security Agency and Apple of having a “close cooperation” to spy on Russian diplomats.
In a statement provided to Reuters and other media outlets, Apple denied the claims, saying the company has “never worked with any government to insert a backdoor into any Apple product and never will.”
In a series of Tweets, CEO Eugene Kaspersky says successful exploitation can result in transmitting private information, including microphone recordings, photos from instant messages, geolocation and data about a number of other activities.
We’ve discovered a new cyberattack against iOS called Triangulation.
The attack starts with iMessage with a malicious attachment, which, using a number of vulnerabilities in iOS installs spyware. No user action is required.#IOSTriangulation pic.twitter.com/daxEYZwXwD
— Eugene Kaspersky (@e_kaspersky) June 1, 2023
The spyware infected “several dozen iPhones” of Kaspersky employees, but the CEO says the threat has been neutralized and the company is now operating normally.
In other Tweets, Kaspersky says the campaign is not related to other iOS attacks, such as Pegasus, Predator, or Reign. In addition, the Russia-based cybersecurity firm was not the main target of the attacks, the CEO says.
The company calls this campaign “Operation Triangulation” and has set up a webpage containing all related information. The company is asking anyone with additional details to contact the company at triangulation[at]kaspersky.com.
How to find out if you’ve been affected by Operation Triangulation
Kaspersky on Friday released a tool designed to automate the process of checking iOS device backups for possible indicators of compromise.
This article has been updated on June 2, 2023 to reflect a statement from Apple.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply