Inside Operation Triangulation: How Kaspersky Catch iOS Exploits

Specialists from the Global Research and Analysis Team (GReAT) at Kaspersky Lab unveiled the intricacies of Operation Triangulation during the Security Analyst Summit (SAS). They detailed the investigative techniques utilized in dissecting the attack, which led to the discovery of vulnerabilities within iOS and the underlying exploits central to the incident. The experts also shared insights on the tools that enabled them to probe the closed operating system and circumvent the adversary’s defensive mechanisms, thus analyzing the campaign’s entirety.

Previously in the summer, Kaspersky Lab reported on the APT campaign Operation Triangulation, which targeted iOS devices. The attackers deployed a sophisticated method of disseminating exploits via iMessage that did not require any active measures from the users. Consequently, the attackers gained comprehensive control over the affected devices and user data. GReAT assessed that espionage was the primary objective of the assailants.

Image: Kaspersky

At the SAS conference, Kaspersky Lab experts presented the technical details of the months-long analysis that revealed an attack chain with five vulnerabilities, four of which were previously unknown zero-day vulnerabilities. The initial entry point was a vulnerability in the font processing library, followed by an extremely dangerous and easily exploitable code execution flaw that allowed access to the device’s physical memory.

The perpetrators exploited two more vulnerabilities to circumvent the latest hardware security features of the Apple processor. It was also revealed that in addition to the ability to remotely infect iOS devices via iMessage, the attackers had a platform for conducting attacks through the Safari web browser. This facilitated the detection and rectification of the fifth vulnerability.

Following the alert from Kaspersky Lab, Apple released security updates to rectify the four zero-day vulnerabilities identified by GReAT researchers (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990). These vulnerabilities affected a wide array of Apple products, including iPhones, iPods, iPads, Mac OS devices, Apple TV, and Apple Watch.

To identify the vulnerabilities and understand the attackers’ actions, Kaspersky Lab’s experts had to be resourceful, particularly in developing methods to circumvent the encryption of the malefactors. The task was complicated by the closed nature of iOS. For example, to extract an iMessage attachment—a starting point in the infection chain—one had to acquire the encrypted text and the AES encryption key. The former was obtained by intercepting traffic to iCloud servers through mitmproxy. The same could not be done with the key since it is transmitted via the iMessage protocol. Therefore, the experts devised a method to disrupt the downloading process of the encrypted attachment text so that the key would be preserved in the SMS.db database. To achieve this, they altered several bytes in the encrypted text using a mitmproxy addon, then loaded an iTunes backup from the infected device (used instead of full device images) and extracted the key from the database contained within.

The company acknowledged that the advanced hardware protection features in Apple’s new chips significantly bolster the resilience of devices against cyberattacks, yet they do not render them entirely invulnerable. Operation Triangulation serves as a stark reminder of the importance of vigilance when dealing with iMessage attachments from unknown sources. The insights gleaned can be instrumental in countering similar assaults and in seeking an equilibrium between system security and accessibility for research purposes.