Was it the work of an intelligence agency, or just an APT group burning their 0-day stock? We may never know, but catching up on my news feeds this morning brought this item to my attention, and a discussion on Twitter certainly provides food for thought.
Source: SecurityWeek, The Register, gHacks Tech News
During a complex attack, threat actors exploited a previously unknown hardware feature in Apple’s system-on-a-chip (SoC) to bypass hardware-based security and take control of iPhones belonging to senior Kaspersky employees.
This campaign, named ‘Operation Triangulation’, employed several iOS zero-day vulnerabilities, including a remote code execution (RCE) zero-day vulnerability (CVE-2023-32434), to install the stealthy spyware implant TriangleDB without user interaction.
The most notable of these vulnerabilities, CVE-2023-38606, allowed the JavaScript exploit to bypass the Page Protection Layer (PPL) using hardware memory-mapped I/O (MMIO) registers. Kaspersky’s analysis revealed that the exploited MMIO registers belonged to the GPU coprocessor, which the attackers abused to achieve remote code execution (RCE).
The hardware feature in question was likely intended for debugging or might have been included by error. It is undocumented and unknown, with Kaspersky’s Global Research and Analysis Team (GReAT) facing challenges in detecting and analyzing this attack vector due to its obscurity. This vulnerability, patched in July 2023, affected iPhones running iOS versions up to 16.6.
The exploitation of this hardware feature allowed malware to bypass hardware-based memory protection, manipulate protected memory regions, and was critical in the ‘Operation Triangulation’ campaign, which enabled attackers to access targeted devices and deploy spyware. Researchers had to extensively reverse-engineer the device to uncover the vulnerability, focusing on the MMIO addresses used for communication between the CPU and other devices.
The attack campaign compromised users for about four years, since 2019, allowing threat actors to spy on users’ photos, location, etc. The method involved sending a malicious iMessage attachment, such as a PDF file, that could execute code remotely due to a vulnerability related to a TrueType font instruction (CVE-2023-41990).
The attackers exploited multiple stage attacks, including exploiting kernel vulnerabilities, to gain root privileges and install the spyware. Apple has since patched these vulnerabilities after being informed by Kaspersky. The discovery process was challenging due to the closed nature of the iOS ecosystem, requiring a comprehensive understanding of both hardware and software architectures.
Observations:
This incident stands as a good example of the fact that advanced hardware-based protections can be ineffective against sophisticated attackers, particularly when hardware features allow bypassing these protections. As discussed by @hackerfantastic on Twitter, this feels like the work of an intelligence agency.
The Twitter thread suggests that the level of sophistication, selective targeting, and the background bureaucratic processes involved in these types of attacks point more towards the work of an intelligence agency rather than a typical APT.