Headline
Most Sophisticated iPhone Hack Ever Exploited Apple's Hidden Hardware Feature
The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company. Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as
Spyware / Hardware Security
The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company.
Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the “most sophisticated attack chain” it has ever observed to date. The campaign is believed to have been active since 2019.
The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information.
UPCOMING WEBINAR
From USER to ADMIN: Learn How Hackers Gain Full Control
Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.
Join Now
The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specifically, it involves the weaponization of the following vulnerabilities -
- CVE-2023-41990 - A flaw in the FontParser component that could lead to arbitrary code execution when processing a specially crafted font file, which is sent via iMessage. (Addressed in iOS 15.7.8 and iOS 16.3)
- CVE-2023-32434 - An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. (Addressed in iOS 15.7.7, iOS 15.8, and iOS 16.5.1 )
- CVE-2023-32435 - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. (Addressed in iOS 15.7.7 and iOS 16.5.1)
- CVE-2023-38606 - An issue in the kernel that permits a malicious app to modify sensitive kernel state. (Addressed in iOS 16.6)
It’s worth noting that patches for CVE-2023-41990 were released by Apple in January 2023, although details about the exploitation were only made public by the company on September 8, 2023, the same day it shipped iOS 16.6.1 to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign.
This also brings the tally of the number of actively exploited zero-days resolved by Apple since the start of the year to 20.
Of the four vulnerabilities, CVE-2023-38606 deserves a special mention as it facilitates a bypass of hardware-based security protection for sensitive regions of the kernel memory by leveraging memory-mapped I/O (MMIO) registers, a feature that was never known or documented until now.
The exploit, in particular, targets Apple A12-A16 Bionic SoCs, singling out unknown MMIO blocks of registers that belong to the GPU coprocessor. It’s currently not known how the mysterious threat actors behind the operation learned about its existence. Also unclear is whether it was developed by Apple or it’s a third-party component like ARM CoreSight.
To put it in another way, CVE-2023-38606 is the crucial link in the exploit chain that’s closely intertwined with the success of the Operation Triangulation campaign, given the fact that it permits the threat actor to gain total control of the compromised system.
“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake,” security researcher Boris Larin said. “Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.”
“Hardware security very often relies on ‘security through obscurity,’ and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on “security through obscurity” can never be truly secure.”
The development comes as the Washington Post reported that Apple’s warnings in late October about Indian journalists and opposition politicians may have been targeted by state-sponsored spyware attacks prompted the government to question the veracity of the claims and describe them as a case of “algorithmic malfunction” within the tech giant’s systems.
In addition, senior administration officials demanded that the company soften the political impact of the warnings and pressed the company to provide alternative explanations as to why the warnings may have been sent. So far, India has neither confirmed nor denied using spyware such as those by NSO Group’s Pegasus.
Citing people with knowledge of the matter, the Washington Post noted that “Indian officials asked Apple to withdraw the warnings and say it had made a mistake,” and that “Apple India’s corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Apple’s warnings could be false alarms” to shift the spotlight away from the government.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.
By Deeba Ahmed Triangulation of Terror: Inside the Most Sophisticated iPhone Spyware Campaign Ever Seen. This is a post from HackRead.com Read the original post: iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers
Categories: Exploits and vulnerabilities Categories: News Tags: iLeakage Tags: side-channel Tags: Safari Tags: CVE-2023-40413 Tags: CVE-2023-40416 Tags: CVE-2023-40423 Tags: CVE-2023-42487 Tags: CVE-2023-42841 Tags: CVE-2023-41982 Tags: CVE-2023-41997 Tags: CVE-2023-41988 Tags: CVE-2023-40447 Tags: CVE-2023-42852 Tags: CVE-2023-32434 Tags: CVE-2023-41989 Tags: CVE-2023-38403 Tags: CVE-2023-42856 Tags: CVE-2023-40404 Tags: CVE-2023-41977 Tags: Vim Apple has released security updates for its phones, iPads, Macs, watches and TVs. (Read more...) The post Update now! Apple patches a raft of vulnerabilities appeared first on Malwarebytes Labs.
Apple Security Advisory 10-25-2023-3 - iOS 15.8 and iPadOS 15.8 addresses code execution and integer overflow vulnerabilities.
The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location. The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up
The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location. The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up
Categories: Android Categories: Apple Categories: Exploits and vulnerabilities Tags: Pegasus Tags: spyware Tags: nso Tags: webp Tags: libwebp Tags: buffer overflow The company behind the infamous Pegasus spyware used a vulnerability in almost every browser to plant their malware on victim's devices. (Read more...) The post Pegasus spyware and how it exploited a WebP vulnerability appeared first on Malwarebytes Labs.
Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a
Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a
Apple Security Advisory 2023-09-11-3 - macOS Big Sur 11.7.10 addresses buffer overflow and code execution vulnerabilities.
Apple Security Advisory 2023-09-11-2 - macOS Monterey 12.6.9 addresses buffer overflow and code execution vulnerabilities.
Apple Security Advisory 2023-09-11-1 - iOS 15.7.9 and iPadOS 15.7.9 addresses buffer overflow and code execution vulnerabilities.
Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild. Tracked as CVE-2023-4863, the issue has been described as a case of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash. Apple Security Engineering and Architecture (SEAR
Categories: Exploits and vulnerabilities Categories: News Tags: Blastpass Tags: citizenlab Tags: pegasus Tags: nso Tags: cisa Tags: apple Tags: cve-2023-41064 Tags: cve-2023-41061 Tags: buffer overflow CISA has added two recently discovered Apple vulnerabilities to its catalog of known exploited vulnerabilities. (Read more...) The post Two Apple issues added by CISA to its catalog of known exploited vulnerabilities appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Blastpass Tags: citizenlab Tags: pegasus Tags: nso Tags: cisa Tags: apple Tags: cve-2023-41064 Tags: cve-2023-41061 Tags: buffer overflow CISA has added two recently discovered Apple vulnerabilities to its catalog of known exploited vulnerabilities. (Read more...) The post Two Apple issues added by CISA to its catalog of known exploited vulnerabilities appeared first on Malwarebytes Labs.
This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.
Apple Security Advisory 2023-09-07-3 - watchOS 9.6.2 addresses a malicious attachment vulnerability that could be used to execute arbitrary code.
Apple Security Advisory 2023-09-07-2 - iOS 16.6.1 and iPadOS 16.6.1 addresses buffer overflow and code execution vulnerabilities.
Apple Security Advisory 2023-09-07-2 - iOS 16.6.1 and iPadOS 16.6.1 addresses buffer overflow and code execution vulnerabilities.
Apple Security Advisory 2023-09-07-1 - macOS Ventura 13.5.2 addresses buffer overflow and code execution vulnerabilities.
Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The issues are described as below - CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment. CVE-2023-41064
Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The issues are described as below - CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment. CVE-2023-41064
Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The issues are described as below - CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment. CVE-2023-41064
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Ubuntu Security Notice 6264-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-5 - macOS Monterey 12.6.8 addresses code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "
Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-4202-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32435: A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution. * CVE-2023-32439: A vulnerability was found in webkitgtk. This issue occurs when processing maliciously crafted web content, which may lead to arbitrary code execution.
Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.
Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.
Apple's emergency patch, AI-generated art and more security headlines from the past week.
Apple's emergency patch, AI-generated art and more security headlines from the past week.
An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Big Sur 11.7.8, macOS Monterey 12.6.7, macOS Ventura 13.4.1, watchOS 9.5.2. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
The zero-day security bugs are being used to deploy the sophisticated but "odd" TriangleDB spying implant on targeted iOS devices.
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.