Researchers at Kaspersky have disclosed the final component of four zero-day exploits that comprise “Operation Triangulation”, a highly sophisticated Apple iMessage 0-click attack that affects iPhone and iPad devices up to iOS 16.2. Kaspersky researchers presented their findings, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held at Congress Center Hamburg, Germany on December 27, 2023.
The presentation was the first time that Kaspersky researchers publicly disclosed all the attack’s vulnerable components and the exploits the attackers used.
Operation Triangulation: 0-click iMessage Attack
Kaspersky researchers first disclosed Operation Triangulation in early 2023, as we previously reported.
The Russian government and FSB (Russia’s intelligence and security agency) boldly alleged that the United States National Security Agency and Apple colluded to infect thousands of Apple iOS devices of Russian persons of interest or citizens in a mass surveillance operation.
Apple and the U.S. government have vehemently denied these accusations.
Kaspersky has not attributed the attacks to a specific organization, government, or hacking group.
Operation Triangulation Attack Chain
Kaspersky researchers have traced the vulnerabilities and sophisticated attack chain back to 2019. Attackers send target individuals an iMessage, which while seemingly innocuous, is actually a “0-click” iMessage attack, or capable of deploying malware on the targeted device without a user actually clicking or agreeing to anything on the device to successfully infect the device.
The delivered iMessage contains a malicious attachment, which iMessage processes without showing any visible signs to the target. The attachment runs the remote code execution vulnerability CVE-2023-41990, to execute a privilege escalation exploit written in JavaScipt.
Next, the attack chain uses the integer overflow vulnerability CVE-2023-32434 in XNU’s memory mapping syscalls to obtain read/write access to the entire physical memory of the device at the user level. Hardware memory-mapped I/O (MMIO) registers to bypass the Page Protection Layer (PPL), identified as CVE-2023-38606.
Finally, a Safari exploit is used CVE-2023-32435 to execute shellcode. Code is used for parsing and manipulation of the kernal memory, and contains various post-exploitation utilities, according to Kaspersky.
Once the exploit obtains root privileges and proceeds to final stages, the spyware payload is finally delivered.
Kaspersky states that it is “almost done reverse-engineering every aspect of this attack chain”, and will release a series of new articles in 2024 detailing each vulnerability and how it was exploited.
Additional context on the hardware layers and bypassing iPhone hardware-based security protections are detailed on Kaspersky’s web blog.
