8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
67.8%
The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company.
Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the โmost sophisticated attack chainโ it has ever observed to date. The campaign is believed to have been active since 2019.
Operation Triangulation gets its name from the use of a fingerprinting technique called canvas fingerprinting to draw a yellow triangle on a pink background with Web Graphics Library (WebGL) in the deviceโs memory.
The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information.
The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specifically, it involves the weaponization of the following vulnerabilities -
Itโs worth noting that patches for CVE-2023-41990 were released by Apple in January 2023, although details about the exploitation were only made public by the company on September 8, 2023, the same day it shipped iOS 16.6.1 to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign.
This also brings the tally of the number of actively exploited zero-days resolved by Apple since the start of the year to 20.
While it was initially believed that the infection sequence also incorporated CVE-2022-46690, the company has since determined that to be no longer the case. CVE-2022-46690 refers to a high-severity out-of-bounds write issue in IOMobileFrameBuffer that could be weaponized by a rogue app to execute arbitrary code with kernel privileges. It was fixed by Apple in December 2022.
โQuite soon, we realized that the kernel vulnerability exploited in this attack was not CVE-2022-46690, but a previously unknown zero-day,โ Kaspersky told The Hacker News. โWe shared all the information with Apple, which led to the resolution of not just one, but four zero-day vulnerabilities.โ
Of the four vulnerabilities, CVE-2023-38606 deserves a special mention as it facilitates a bypass of hardware-based security protection for sensitive regions of the kernel memory by leveraging memory-mapped I/O (MMIO) registers, a feature that was never known or documented until now.
The exploit, in particular, targets Apple A12-A16 Bionic SoCs, singling out unknown MMIO blocks of registers that belong to the GPU coprocessor. Itโs currently not known how the mysterious threat actors behind the operation learned about its existence. Also unclear is whether it was developed by Apple or itโs a third-party component like ARM CoreSight.
To put it in another way, CVE-2023-38606 is the crucial link in the exploit chain thatโs closely intertwined with the success of the Operation Triangulation campaign, given the fact that it permits the threat actor to gain total control of the compromised system.
โOur guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake,โ security researcher Boris Larin said. โBecause this feature is not used by the firmware, we have no idea how attackers would know how to use it.โ
โHardware security very often relies on โsecurity through obscurity,โ and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on โsecurity through obscurityโ can never be truly secure.โ
The development comes as the Washington Post reported that Appleโs warnings in late October about how Indian journalists and opposition politicians may have been targeted by state-sponsored spyware attacks prompted the government to question the veracity of the claims and describe them as a case of โalgorithmic malfunctionโ within the tech giantโs systems.
In addition, senior administration officials demanded that the company soften the political impact of the warnings and pressed the company to provide alternative explanations as to why the warnings may have been sent. So far, India has neither confirmed nor denied using spyware such as those by NSO Groupโs Pegasus.
But Amnesty International said that it found โtraces of Pegasus spyware activityโ on iPhones of prominent journalists in India, stating โdespite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India which only intensifies the sense of impunity over these human rights violations.โ
Citing people with knowledge of the matter, the Washington Post noted that โIndian officials asked Apple to withdraw the warnings and say it had made a mistake,โ and that โApple Indiaโs corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Appleโs warnings could be false alarmsโ to shift the spotlight away from the government.
(The story was updated after publication to include additional commentary from Kaspersky.)
Found this article interesting? Follow us on Twitter ๏ and LinkedIn to read more exclusive content we post.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
67.8%