Apple squashes kernel bug used by TriangleDB spyware

Whoever is infecting people's iPhones pinch nan TriangleDB spyware whitethorn beryllium targeting macOS computers pinch akin malware, according to Kaspersky researchers.

In nan information shop's ongoing study of nan smartphone snooping run – during which attackers utilization a kernel vulnerability to get guidelines privileges and instal TriangleDB connected victims' handsets – Kaspersky analysts uncovered 24 commands provided by nan malware that tin beryllium utilized for a scope of illicit activities; everything from stealing data, to search nan victim's geolocation, and terminating processes.

TriangleDB is nan enigma spyware that Kaspersky recovered moving connected its ain management's devices.

The analysts besides spotted a method named populateWithFieldsMacOSOnly successful nan people CRConfig, which is utilized to shop nan implant's configuration. That usability isn't utilized erstwhile nan codification is deployed connected a target's iPhone, though suggests location is simply a macOS version aliases build of nan spyware, we're told.

"This method is not called anyplace successful nan iOS implant; however, its beingness intends that macOS devices tin besides beryllium targeted pinch a akin implant," Georgy Kucherin, Leonid Bezvershenko, and Igor Kuznetsov wrote successful research published today.

Also today, Apple pushed software updates to hole nan kernel vulnerability uncovered by nan Kaspersky researchers during their TriangleDB analysis. The updates spot CVE-2023-32434 crossed astir each iPhone and iPad exemplary arsenic good arsenic Apple Watches bid 3 and later, and computers moving macOS Ventura, Monterey, and Big Sur. 

Apple credits Kucherin, Bezvershenko, and Kuznetsov pinch uncovering nan flaw, and nan merchandise notes admit that "Apple is alert of a study that this rumor whitethorn person been actively exploited against versions of iOS released earlier iOS 15.7."

While Kaspersky's first study of nan spyware run recovered nary denotation of nan utilization successfully compromising devices moving versions of iOS since iOS 15.7, a deeper dive into nan exploitation concatenation recovered that nan later stages of nan utilization process still worked.

Today's fixes guarantee that those later stages can't beryllium utilized successful abstracted attacks, according to an Apple spokesperson. The patches besides reside different vulnerability: a flaw successful Webkit (CVE-2023-32439) successful iOS and macOS that was reported by an anonymous root and whitethorn person been exploited successful nan wild, too.

Interestingly enough, Apple's updates additionally adjacent CVE-2023-32435, different exploited code-execution spread successful WebKit that was reported by nan Kaspersky trio but isn't mentioned successful their write-up; conscionable nan kernel bug was referenced.

Operation Triangulation

Kaspersky said connected June 1 it discovered TriangleDB, a antecedently chartless spyware, connected "several dozen" iPhones belonging to nan Russian infosec giant's apical and middle-management. It dubbed nan espionage run Operation Triangulation.

Also connected June 1, Russian intelligence accused American snoops and Apple of moving together to backdoor iPhones to spy connected "thousands" of diplomats worldwide. The Kremlin's Federal Security Service (FSB) provided nary impervious alongside these allegations. At nan time, a Kaspersky spokesperson told The Register it was alert of nan FSB's claims, but couldn't opportunity if nan 2 things — America allegedly backdooring iPhones, and nan spyware recovered connected respective Kaspersky devices — were linked.

Since nan first Triangulation report, Kaspersky has released a triangle_check utility that automatically searches instrumentality for infections of nan snoopware. 

• Kremlin claims Apple helped NSA spy connected diplomats via iPhone backdoor
• Third MOVEit bug fixed a time aft PoC utilization made public
• June Patch Tuesday: VMware vuln nether onslaught by Chinese spies, Microsoft kinda meh
• Chinese spies blamed for data-harvesting raids connected Barracuda email gateways

Today's investigation follows a six-month investigation into nan cognition arsenic good arsenic a heavy study of nan exploitation chain. 

When asked if nan implant has been detected connected iPhones belonging to non-Kaspersky employees, a spokesperson told The Register: "It's important to statement that we tin only disclose accusation astir those infections detected by america wrong nan onslaught connected Kaspersky employees."

The researchers still haven't attributed nan snooping run to immoderate peculiar unit aliases nation. "Judging by nan cyberattack characteristics, we're incapable to nexus this cyberespionage run to immoderate existing threat actor," nan spokesperson added.

Here's what nan squad uncovered astir TriangleDB. 

Deep dive into TriangleDB

As they discussed previously, exploitation starts pinch an iMessage containing a malicious attachment; simply receiving that connection is capable to infect a susceptible iOS device. The message's payload is designed to yet utilization a kernel-level information spread to summation guidelines privileges, allowing complete power complete nan system. The codification appears to beryllium written successful Objective-C.

The codification deploys nan TriangleDB spyware successful memory, truthful nan snoops person to reinfect a target instrumentality if nan unfortunate reboots their iPhone. If there's nary reboot, nan implant removes itself aft 30 days unless nan attacker extends it.

After it launches, nan malware originates communicating pinch a command-and-control server utilizing nan Protobuf library. All messages are encrypted pinch 3DES and RSA via HTTPS connections. 

The implant sends heartbeat pings to nan C2 server pinch strategy information, and nan server responds to these messages pinch commands, each of which person names starting pinch CRX.

Kaspersky's researchers analyzed 2 twelve of these commands, and said they tin beryllium utilized to make nan spyware interact pinch processes and nan filesystem to create and region files. These commands tin besides show nan iPhone's geolocation and dump a victim's keychain items, which allows attackers to harvest credentials. Plus, they tin tally further modules, which, again, are only stored successful memory.

It's besides worthy noting that nan implant requests aggregate permissions from nan operating system, and immoderate of these are not utilized successful nan code. This includes entree to nan device's camera, microphone and reside book, on pinch support to interact pinch different devices via Bluetooth.

Kaspersky says this apt intends that these functionalities are implemented successful modules. ®