Kaspersky's Global Research and Analysis Team (GReAT) revealed their investigation process into the notorious Operation Triangulation at the recent Security Analyst Summit. The team showcased new details surrounding iOS vulnerabilities and exploits that underpin this assault, providing an analysis of the campaign that has targeted both the public and Kaspersky's employees.
Earlier this summer, Kaspersky uncovered an Advanced Persistent Threat (APT) campaign targeting iOS devices. Named 'Operation Triangulation', this campaign employs a sophisticated method of distributing zero-click exploits via iMessage, ultimately taking complete control over the device and its user data. Kaspersky GReAT assessed that the primary goal may involve covert user surveillance, affecting even Kaspersky's own staff. Due to the attack's complexity and the closed nature of the iOS ecosystem, a dedicated cross-team taskforce spent a substantial amount of time and resources conducting a detailed technical analysis.
At the Security Analyst Summit, company experts unveiled previously undisclosed details of the attack chain that took advantage of five vulnerabilities, four of which were previously unknown zero-day vulnerabilities patched after Kaspersky researchers submitted them to Apple.
Company’s experts identified an initial entry point through a font processing library vulnerability. The second, an extremely powerful and trivially exploitable vulnerability in the memory mapping code allowed access to the device’s physical memory. Additionally, attackers exploited two more vulnerabilities to bypass the latest Apple processor's hardware security features. Researches also discovered that, aside from the capability to remotely infect Apple devices through iMessage without user interaction, the attackers also had a platform to carry out attacks via the Safari web browser. This prompted the discovery and fixing of a fifth vulnerability.
The Apple team has officially released security updates, addressing four zero-day vulnerabilities discovered by Kaspersky researchers (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990). These vulnerabilities impacted a broad spectrum of Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch.
“The hardware-based security features of devices with newer Apple chips significantly bolster their resilience against cyberattacks. But they are not invulnerable. Operation Triangulation serves as a reminder to exercise caution when handling iMessage attachments from unfamiliar sources. Drawing insights from the strategies employed in Operation Triangulation can offer valuable guidance. Additionally, finding a balance between system closedness and accessibility may contribute to an enhanced security posture,” comments Boris Larin, Principal Security Researcher at Kaspersky’s GReAT.
While Kaspersky’s victims include company’s top and middle management as well as researchers based in Russia, Europe and META, the company was not the only target of the attack.
Alongside the publication of the report and the development of a specialized triangle_check utility, GReAT experts established an email address so any interested party could contribute to the investigation. As a result, company researchers received confirmation of instances where individuals had fallen prey to Operation Triangulation and they provided those victims with the guidance on enhancing their security.
“Securing systems from advanced cyberattacks is not an easy task, and it is even more complicated in closed systems such as iOS. That is why it is so important to implement multi-layered security measures to detect and prevent such attacks,” comments Igor Kuznetsov, Director at Kaspersky’s Global Research and Analysis Team.
To learn more about Operation Triangulation, visit Securelist.com. Kaspersky will shed light on more technical details in the near future, providing detailed descriptions of its analysis on the website.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
Regularly update your operating system, applications, and antivirus software to patch any known vulnerabilities.
Be cautious of emails, messages, or calls asking for sensitive information. Verify the sender’s identity before sharing any personal details or clicking on suspicious links.
Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.