The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company.
Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the "most sophisticated attack chain" it has ever observed to date. The campaign is believed to have been active since 2019.
Operation Triangulation gets its name from the use of a fingerprinting technique called canvas fingerprinting to draw a yellow triangle on a pink background with Web Graphics Library (WebGL) in the device’s memory.
The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information.
The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specifically, it involves the weaponization of the following vulnerabilities -
- CVE-2023-41990 - A flaw in the FontParser component that could lead to arbitrary code execution when processing a specially crafted font file, which is triggered via the iMessage PDF attachment. (Addressed in iOS 15.7.8 and iOS 16.3)
- CVE-2023-32434 - An integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. (Addressed in iOS 15.7.7, iOS 15.8, and iOS 16.5.1 )
- CVE-2023-32435 - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. (Addressed in iOS 15.7.7 and iOS 16.5.1)
- CVE-2023-38606 - An issue in the kernel that permits a malicious app to modify sensitive kernel state. (Addressed in iOS 16.6)
It's worth noting that patches for CVE-2023-41990 were released by Apple in January 2023, although details about the exploitation were only made public by the company on September 8, 2023, the same day it shipped iOS 16.6.1 to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign.
This also brings the tally of the number of actively exploited zero-days resolved by Apple since the start of the year to 20.
While it was initially believed that the infection sequence also incorporated CVE-2022-46690, the company has since determined that to be no longer the case. CVE-2022-46690 refers to a high-severity out-of-bounds write issue in IOMobileFrameBuffer that could be weaponized by a rogue app to execute arbitrary code with kernel privileges. It was fixed by Apple in December 2022.
"Quite soon, we realized that the kernel vulnerability exploited in this attack was not CVE-2022-46690, but a previously unknown zero-day," Kaspersky told The Hacker News. "We shared all the information with Apple, which led to the resolution of not just one, but four zero-day vulnerabilities."
Of the four vulnerabilities, CVE-2023-38606 deserves a special mention as it facilitates a bypass of hardware-based security protection for sensitive regions of the kernel memory by leveraging memory-mapped I/O (MMIO) registers, a feature that was never known or documented until now.
The exploit, in particular, targets Apple A12-A16 Bionic SoCs, singling out unknown MMIO blocks of registers that belong to the GPU coprocessor. It's currently not known how the mysterious threat actors behind the operation learned about its existence. Also unclear is whether it was developed by Apple or it's a third-party component like ARM CoreSight.
To put it in another way, CVE-2023-38606 is the crucial link in the exploit chain that's closely intertwined with the success of the Operation Triangulation campaign, given the fact that it permits the threat actor to gain total control of the compromised system.
"Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake," security researcher Boris Larin said. "Because this feature is not used by the firmware, we have no idea how attackers would know how to use it."
"Hardware security very often relies on 'security through obscurity,' and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on "security through obscurity" can never be truly secure."
The development comes as the Washington Post reported that Apple's warnings in late October about how Indian journalists and opposition politicians may have been targeted by state-sponsored spyware attacks prompted the government to question the veracity of the claims and describe them as a case of "algorithmic malfunction" within the tech giant's systems.
In addition, senior administration officials demanded that the company soften the political impact of the warnings and pressed the company to provide alternative explanations as to why the warnings may have been sent. So far, India has neither confirmed nor denied using spyware such as those by NSO Group's Pegasus.
But Amnesty International said that it found “traces of Pegasus spyware activity” on iPhones of prominent journalists in India, stating “despite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India which only intensifies the sense of impunity over these human rights violations.”
Citing people with knowledge of the matter, the Washington Post noted that "Indian officials asked Apple to withdraw the warnings and say it had made a mistake," and that "Apple India's corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Apple's warnings could be false alarms" to shift the spotlight away from the government.
(The story was updated after publication to include additional commentary from Kaspersky.)