Kaspersky: Apple Patches Exploits Used in Spy Campaign ‘Operation Triangulation’

Apple has released patches for two zero-days exploited in a spyware campaign that the Russian government has blamed on the U.S.

The campaign, dubbed Operation Triangulation, was publicized by the Moscow-based cybersecurity company Kaspersky in early June after the malware was detected on iPhones within its network, as well as on Wednesday in new research describing how the spyware behaves. It has been active since 2019 and attacks its targets by sending iMessages with malicious attachments.

Kaspersky researchers discovered a kernel and WebKit vulnerabilities during the investigation of the Operation Triangulation attack reported earlier this month. The team proactively collaborated with the Apple Security Research team by sharing information about the attack and reporting the exploits.

As of now, Apple has publicly confirmed them as zero-day vulnerabilities that received the designation of CVE-2023-32434 and CVE-2023-32435 respectively, and announced the patching of those as part of the Security Updates release on June 21, 2023.

Apple characterized the exploited vulnerabilities as problems related to memory corruption within the kernel (CVE-2023-32434), which enables an application to execute arbitrary code with kernel privileges, and an issue identified in WebKit (CVE-2023-32435), which allows code execution through web content.

To address these issues the company has rolled out patches in the latest updates of its operating systems iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, and iPadOS 15.7.7.

The fixes have been released both for the latest version (iOS 16.5.1) and the original vulnerable version (before iOS 15.7). Apple noted that the attacks have only been seen on devices running iOS versions older than iOS 15.7.

Other than iPhones and iPads, patches for macOS and watchOS were also released.

The spyware used in Operation Triangulation, according to Kaspersky, targeted iPhones via iMessages with a malicious attachment that carried an exploit for an RCE vulnerability.

The code used in the exploit additionally downloads extra elements to acquire root privileges on the targeted device. Once achieved, a spyware implant named TriangleDB, as identified by Kaspersky, is deployed in the device’s memory, and the initial iMessage is erased.

The implant lacks a persistence mechanism, meaning that if the targeted device is restarted, the entire chain of exploitation must be initiated again to re-infect the device.

“If no reboot occurs, the implant will automatically uninstall itself after 30 days, unless the attackers extend this period,” Kaspersky added.

The spyware monitored the infected device for folder changes with names matching specified regular expressions and exfiltrated queued matches. Identified artifacts suggested the threat actor might also be targeting macOS devices with a similar implant, Kaspersky said

“We would like to thank Apple for taking action promptly to address and resolve the identified issues to keep users safe” – Kaspersky said.

June 22, 2023