Headline
iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers
By Deeba Ahmed Triangulation of Terror: Inside the Most Sophisticated iPhone Spyware Campaign Ever Seen. This is a post from HackRead.com Read the original post: iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers
The findings came as part of Operation Triangulation, months after Kaspersky discovered that their employees’ iPhones had been hacked by spyware.
Kaspersky Global Research and Analysis Team (GReAT) has discovered an obscure hardware feature likely exploited by hackers during spyware attacks against iPhone users.
The attacks were part of an APT campaign dubbed Operation Triangulation, which has been active since 2019, targeting iOS devices Using zero-click exploits via iMessage, allowing attackers to gain control and access user data. It was discovered by Kaspersky this summer.
The yet publicly undocumented feature is a part of Apple’s system-on-a-chip (SoC) and was probably included in the iPhone for debugging or testing purposes by Apple engineers, or added in the final consumer version mistakenly. Nevertheless, it allowed attackers to bypass protections and hijack devices in attacks targeting Kaspersky senior employees’ iPhones.
The research into Operation Triangulation was conducted by the cybersecurity vendor, Kaspersky. It is worth noting that the operation kicked off when Kaspersky researchers identified that their employees’ iPhones were hacked by spyware.
On December 27, 2023, the company shared the findings in a presentation titled “Operation Triangulation: What You Get When Attack iPhones of Researchers” at the 37th Chaos Communication Congress held in Hamburg and published in a report authored by Boris Larin.
During the presentation, researchers explained that multiple iOS zero-day vulnerabilities (including an RCE issue in Apple’s ADJUST TrueType font instruction CVE-2023-41990 and CVE-2023-38606, a bypass of hardware-based security protections) were exploited to execute code and install a stealthy spyware implant, known as TriangleDB.
These vulnerabilities were used to target iPhones running iOS versions up to iOS 16.6. The most critical of these was CVE-2023-38606 for allowing a JavaScript exploit to bypass the Page Protection Layer.
The attackers used malicious iMessage attachments to exploit a remote code execution zero-day and deploy TriangleDB without user interaction. The infection chain involved multiple checks and log-erasing actions to prevent malware identification. Researchers discovered new attacks/exploits daily, calling it the most sophisticated chain of attack they had ever witnessed.
“We have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is the most sophisticated attack chain we have ever seen.”
Kaspersky – GReAT
The obscure feature allowed overriding of hardware-based security to protect the kernel, the core part of an operating system. Attackers could then write data to a specific physical address while “bypassing hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware.”
The attackers exploited MMIO registers from the GPU coprocessor, bypassing Apple’s DeviceTree ranges to write to memory, bypass protections, and achieve RCE.
Correlation of the gfx-asc MMIO ranges and the addresses used by the exploit (Kaspersky)
Apple responded by releasing security updates to address four zero-day vulnerabilities impacting various Apple products: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990.
However, there are still many unanswered questions, such as the purpose of this feature, how attackers learned to use it considering that the firmware didn’t use it and whether it was developed by Apple or a third-party component like ARM CoreSight.
****RELATED ARTICLES****
- Hackers Targeting Apple’s M1 Chip with Mac Malware
- Turns out iPhone 5c can be hacked with a $100 hardware
- Apple Safari Safest, Google Chrome Riskiest Browser – Study
- Apple Bug bounty: Earn big for hacking iPhone, other products
- iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.
The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company. Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as
Categories: Exploits and vulnerabilities Categories: News Tags: iLeakage Tags: side-channel Tags: Safari Tags: CVE-2023-40413 Tags: CVE-2023-40416 Tags: CVE-2023-40423 Tags: CVE-2023-42487 Tags: CVE-2023-42841 Tags: CVE-2023-41982 Tags: CVE-2023-41997 Tags: CVE-2023-41988 Tags: CVE-2023-40447 Tags: CVE-2023-42852 Tags: CVE-2023-32434 Tags: CVE-2023-41989 Tags: CVE-2023-38403 Tags: CVE-2023-42856 Tags: CVE-2023-40404 Tags: CVE-2023-41977 Tags: Vim Apple has released security updates for its phones, iPads, Macs, watches and TVs. (Read more...) The post Update now! Apple patches a raft of vulnerabilities appeared first on Malwarebytes Labs.
Apple Security Advisory 10-25-2023-3 - iOS 15.8 and iPadOS 15.8 addresses code execution and integer overflow vulnerabilities.
The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location. The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up
The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location. The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up
This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.
This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.
Ubuntu Security Notice 6264-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-6 - macOS Big Sur 11.7.9 addresses code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "
Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: WebKit Tags: CVE-2023-38606 Tags: CVE-2023-32409 Tags: CVE-2023-37450 Tags: CVE-2023-32416 Apple has released security updates for several products to address several serious vulnerabilities including some actively exploited zero-days. (Read more...) The post Update now! Apple fixes several serious vulnerabilities appeared first on Malwarebytes Labs.
Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-4202-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32435: A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution. * CVE-2023-32439: A vulnerability was found in webkitgtk. This issue occurs when processing maliciously crafted web content, which may lead to arbitrary code execution.
Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.
Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.
Apple's emergency patch, AI-generated art and more security headlines from the past week.
Apple's emergency patch, AI-generated art and more security headlines from the past week.
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Big Sur 11.7.8, macOS Monterey 12.6.7, macOS Ventura 13.4.1, watchOS 9.5.2. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
The zero-day security bugs are being used to deploy the sophisticated but "odd" TriangleDB spying implant on targeted iOS devices.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.