2 More Apple Zero-Days Exploited in Ongoing iOS Spy Campaign

Apple has released emergency patches for two new zero-day vulnerabilities in its software that an advanced persistent threat (APT) actor has been using to deploy malware in an ongoing iOS spying campaign dubbed "Operation Triangulation."

Meanwhile on Wednesday, Kaspersky released a new report that provided additional details on the TriangleDB spyware implant used in the campaign, which it flagged as containing a number of oddities, such as disabled features that could be deployed at a future time. 

According to the company, its analysis showed that for now, the malware supports 24 functional commands that serve various purposes such as creating, modifying, removing and stealing files, listing and terminating processes, gathering credentials from the victim's keychain and monitoring their location.

"Features that we found especially significant are the abilities to read any file on the infected device, extract passwords from the victim's keychain and track the device geolocation," says Georgy Kucherin, one of the security researchers at Kaspersky who discovered the zero-day bugs that Apple disclosed this week.

A Trio of Zero-Days

One of the newly addressed security vulnerabilities (CVE-2023-32434) affects multiple iOS versions and gives attackers a way to execute arbitrary code with kernel level privileges on iPhones and iPads. The other vulnerability (CVE-2023-32439) exists in Apple's WebKit browser and enables arbitrary code execution via maliciously crafted web content. Apple on June 21, 2023, issued updates addressing both vulnerabilities. 

The two bugs are part of a set of three Apple zero-days that researchers at Kaspersky have discovered so far while investigating Operation Triangulation. The investigation began about seven months ago when the security firm spotted several dozen iOS devices on its corporate Wi-Fi network behaving in a suspicious manner.

The company released a report on its initial analysis of the malicious activity, in early June. At the time, Kaspersky described the attackers as likely exploiting multiple vulnerabilities in Apple software to deliver the TriangleDB spyware implant on iOS devices belonging to targeted iOS users. Researchers at the company identified the first of the flaws as CVE-2022-46690, an out-of-bounds issue that allowed an application to execute arbitrary code at the kernel level. Kaspersky described the malware itself as running with root privileges, capable of executing arbitrary code on affected devices and implementing a set of commands for collecting system and user information.

Reading files on the infected device allows attackers to get access to sensitive information such as photos, videos, emails, as well as databases containing conversations from messenger apps, Kucherin says. TriangleDBs' keychain dumping features allow the attackers to harvest the victim's passwords, and then further use them to access various accounts owned by the victim.

TriangeDB Shows Curious Spyware Behavior

Somewhat curiously, the implant requests multiple privileges from the operating system (on infected devices) without any obvious ways to use the information, Kucherin says. Examples of privileges that the malware requests—but doesn’t presently use—include access to the microphone, camera and the address book. 

"These features may be implemented in auxiliary modules that can be loaded by the implant," at some future time, he notes.

Another significant discovery that Kaspersky made when analyzing TriangleDB is the fact that the attackers behind the malware have an eye on targeted macOS users as well. "Perhaps the most interesting finding is the 'populateWithFieldsMacOSOnly' method that we found in the implant," Kucherin says. "Its existence means that similar implants can be used to target not just iOS devices, but also Mac computers."

Kaspersky has assessed it was the victim of a targeted attack, but likely not the only one. Russia's Federal Security Service (FSB) intelligence outfit has alleged—without providing any proof—that the US National Security Agency (NSA), likely in cahoots with Apple, is behind the malware and the spying operation. The agency has accused the two of installing the spyware on thousands of iOS devices belonging to Russian diplomats and Russia-affiliated individuals of supposed interest to the US government. In a tone reminiscent of US accusations against Russia and China, Russia's foreign ministry described the iOS spyware campaign as part of a decades long effort to collect "large-scale data of Internet users" without their permission or knowledge.

Both the NSA and Apple have rejected those allegations.

Kaspersky has released a utility called ‘triangle_check’ that organizations can use to search for signs of the spyware implant on their iOS devices.