Kaspersky's Employees Trojanized in Targeted Attack via iPhones

plat · Jun 1, 2023

Our experts have discovered an extremely complex, professional targeted cyberattack that uses Apple’s mobile devices. The purpose of the attack is the inconspicuous placing of spyware into the iPhones of employees of at least our company – both middle and top management.

The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device.

The article further states that Kaspersky is not the "main target" of the attack, that it involves exploiting IPhones in general. K promises updates on this matter in the future.

Original source

plat · Jun 1, 2023

More news as this develops. The Russian government has now reportedly accused the United States of targeting Russian IPhones in order to install spyware via the Triangulation Trojan. The link to the "official" declaration is in the Tweet and since there's a red stroke thru the padlock signifying an insecure site, I'm not linking it directly. If not Russian-speaking, you will have to translate the page to whichever language you speak/read from Russian.

I have partially translated the text already and will leave it to your discretion as to how to take this.

R3j3ct · Jun 1, 2023

Russia says US hacked thousands of iPhones in iOS zero-click attacks

Russian cybersecurity firm Kaspersky says some iPhones on its network were hacked using an iOS vulnerability that installed malware via iMessage zero-click exploits. Russia blames these attacks on US intelligence agencies.

www.bleepingcomputer.com

vtqhtr413 · Jun 1, 2023

Apple is denying claims made by Russia's Federal Security Service (FSB) that it cooperated with American spies to surveil Russian iPhone users. From a report:In a statement, the company said it has "never worked with any government to insert a backdoor into any apple product and never will."

Apple Denies Surveillance Claims Made By Russia's FSB - Slashdot

Apple is denying claims made by Russia's Federal Security Service (FSB) that it cooperated with American spies to surveil Russian iPhone users. From a report: In a statement, the company said it has "never worked with any government to insert a backdoor into any apple product and never will."...

apple.slashdot.org

MuzzMelbourne · Jun 1, 2023

Mmmmm, big on jingoism, no mention of iOS version, Apple's response, or if its an issue after the latest iOS Rapid Security Response.

More information please Eugene...

Ahhh, now I see what's going on...

“Clickless” iOS exploits infect Kaspersky iPhones with never-before-seen malware

“Operation Triangulation” stole mic recordings, photos, geolocation, and more.

arstechnica.com

Russian government accuses Apple of colluding with NSA in iPhone spy operation

A Russian intelligence agency said thousands of iPhones were infected in an operation that shows "cooperation" between Apple and the NSA.

cyberscoop.com

Zero Knowledge · Jun 1, 2023

A one click zero-day invisible attachment iMessage exploit? That's pretty wild. Now that must have been a $2,000,000 exploit.

MuzzMelbourne · Jun 1, 2023

Zero Knowledge said:
A one click zero-day invisible attachment iMessage exploit?

Another headline you wouldn't see ten years ago?

Trident · Jun 1, 2023

These 0-day, 0-click vulnerabilities, mainly in components like Safari’s Web Kit, iMessage and last but not least, FaceTime are becoming more and more widespread. And more serious. Even though Apple releases all sorts of updates, including Rapid Security Response (announced last June and only 1 delivered with a ton of issues), various vulnerabilities still hinder unfixed.
Is Apple going to become one of these old money and old glory companies? Seems that way to me.

Zero Knowledge · Jun 1, 2023

MuzzMelbourne said:
Another headline you wouldn't see ten years ago?

Makes you wonder, doesn't it? The amount of research and development to get a exploit like this to work would be in the millions.

Even Apple with billions of dollars in R&D and huge security team missed this. Now it's a question of who else is vulnerable to such exploits?

Brahman · Jun 1, 2023

Zero Knowledge said:
Makes you wonder, doesn't it? The amount of research and development to get a exploit like this to work would be in the millions.

Even Apple with billions of dollars in R&D and huge security team missed this. Now it's a question of who else is vulnerable to such exploits?

Everyone whom CIA is interested in. It's not going to stop.

MuzzMelbourne · Jun 2, 2023

Brahman said:
Everyone whom CIA is interested in...

You know you're old and useless when you're fairly certain this doesn't apply to you...

upnorth · Jun 2, 2023

Nothing new under the sun either with Apple 0-days or that vendor employees gets hacked/breached in one way or the other, but interesting to hear " again " how effective Kaspersky is catching some creations. Then on the other hand, in this specific case it was always out of reach for normal peasants anyway:

the infection was detected by the Kaspersky Unified Monitoring and Analysis Platform (KUMA) – a native SIEM solution

and if it's actually is NSA, I doubt they worry much as their toolbox is way way deeper then just malware. Fair warning, it's a rabbit-hole extraordinaire.

https://www.nsa.gov/Portals/75/documents/what-we-do/research/technology-transfer/TTP%20Patent%20Portfolio%20v6.pdf

The analysis of the final payload is not finished yet.

Operation Triangulation: iOS devices targeted with previously unknown malware

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices, inspected them and discovered traces of...

securelist.com

Gandalf_The_Grey · Jun 2, 2023

In search of the Triangulation: triangle_check utility

In our initial blogpost about “Operation Triangulation”, we published a comprehensive guide on how to manually check iOS device backups for possible indicators of compromise using MVT. This process takes time and requires manual search for several types of indicators. To automate this process, we developed a dedicated utility to scan the backups and run all the checks. For Windows and Linux, this tool can be downloaded as a binary build, and for MacOS it can be simply installed as a Python package.

Tool to find the Operation Triangulation traces

We developed a dedicated utility to scan the iOS backups and run all the checks for Operation Triangulation indicators

securelist.com

SeriousHoax · Jun 2, 2023

upnorth · Dec 28, 2023

the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action.

With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn’t survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.

Besides affecting iPhones, these critical zero-days and the secret hardware function resided in Macs, iPods, iPads, Apple TVs, and Apple Watches. What’s more, the exploits Kaspersky recovered were intentionally developed to work on those devices as well. Apple has patched those platforms as well.

The most intriguing new detail is the targeting of the heretofore-unknown hardware feature, which proved to be pivotal to the Operation Triangulation campaign. A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel. On most other platforms, once attackers successfully exploit a kernel vulnerability they have full control of the compromised system.

On Apple devices equipped with these protections, such attackers are still unable to perform key post-exploitation techniques such as injecting malicious code into other processes, or modifying kernel code or sensitive kernel data. This powerful protection was bypassed by exploiting a vulnerability in the secret function. The protection, which has rarely been defeated in exploits found to date, is also present in Apple’s M1 and M2 CPUs.

4-year campaign backdoored iPhones using possibly the most advanced exploit ever

“Triangulation” infected dozens of iPhones belonging to employees of Moscow-based Kaspersky.

arstechnica.com

Operation Triangulation: The last (hardware) mystery

Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.

securelist.com

vtqhtr413 · Dec 28, 2023

From the securelist.com article in @ upnorth's post.

Conclusion
This is no ordinary vulnerability, and we have many unanswered questions. We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight. What we do know—and what this vulnerability demonstrates—is that advanced hardware-based protections are useless in the face of a sophisticated attacker as long as there are hardware features that can bypass those protections.

Hardware security very often relies on “security through obscurity”, and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on “security through obscurity” can never be truly secure. We are almost done reverse-engineering every aspect of this attack chain, and we will be releasing a series of articles next year detailing each vulnerability and how it was exploited. However, there are certain aspects to one particular vulnerability that we have not been able to fully understand, the mystery of the CVE-2023-38606 vulnerability.

Operation Triangulation: The last (hardware) mystery

Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.

securelist.com

What insites could US intelligence agencies acquire from Kaspersky that would justify the risks involved, doesn't add up to me

nicolaasjan · Dec 28, 2023

upnorth said:
and if it's actually is NSA, I doubt they worry much as their toolbox is way way deeper then just malware. Fair warning, it's a rabbit-hole extraordinaire.
https://www.nsa.gov/Portals/75/documents/what-we-do/research/technology-transfer/TTP%20Patent%20Portfolio%20v6.pdf

Who here dares to open a pdf from the NSA?

Sandbox Breaker - DFIR · Dec 28, 2023

IOS is inherently much less secure then Google Pixel Line. There is a resin why we bring Chromebooks and pixels to Defcon. There's a reason why Russia banned iPhones for govt use. When will everyone else see the signs. Stop falling for apples tricks and marketing. It's a Communist platform which China also loves. Any new staff of mine receive a managed pixel 8 and Chromebook enterprise. If not then gtfoh

nicolaasjan · Dec 28, 2023

Kaspersky's Employees Trojanized in Targeted Attack via iPhones

Level 29

Level 29

Level 1

Level 27

Level 15

Level 21

Level 15

Level 34

Level 21

Level 19

Level 15

Level 68

Level 85

Level 51

Level 68

Level 27

Level 5

Level 12

Level 5

Similar threads