Operation Triangulation

Last updated

Operation Triangulation is a targeted cyberattack on iOS devices conducted using a chain of four zero-day vulnerabilities. It was first disclosed in June 2023 and is notable for its unprecedented technical complexity among iOS attacks. The number of victims is estimated to be in the thousands.

Contents

Objectives of the attack

The goal of the attack was espionage: extracting messages and passwords from devices, recording conversations, and tracking geolocation. The exact number of victims is unknown due to the high level of stealth by the attackers. Some sources estimate several thousand victims, including commercial, governmental and diplomatic organizations in Russia and its overseas representatives. [1]

Timeline of events

June 1, 2023: Kaspersky announces the discovery of traces of a new kind of malware on the iOS devices of its employees. The malware is designed for espionage and is highly stealthy, detected only by unusual data exchange with infected iPhones. Investigators found the traces of first infections dating back to 2019. The attack is named Operation Triangulation. [2]

A tool called triangle_check is released to allow users to check if their iOS devices have been compromised and determine whether they have been victims of the attack. [3] [4] [5]

June 21, 2023: Kaspersky publishes research on the TriangleDB implant used in the attack. [6] [7]

On the same day, Apple releases updates for iOS 15.x and 16.x, addressing two vulnerabilities used in the attack: CVE-2023-32434 in the iOS kernel and CVE-2023-32435 in the WebKit browser engine. These vulnerabilities make it possible to silently infect iPhones by bypassing iOS security systems. [8]

July 24, 2023: Apple releases updates for iOS 15.x and 16.x, addressing the CVE-2023-38606 vulnerability in the iOS kernel and CVE-2023-41990 in the FontParser font processing mechanism. These vulnerabilities were also part of the infection chain for Operation Triangulation. [9] [10]

October 23, 2023: Kaspersky publishes data on the multi-stage validation of potential victims by the attackers. This filtering process allows attackers to infect only their intended targets and evade security researchers. [11]

October 26, 2023: At the Security Analyst Summit, a report is presented on the Operation Triangulation investigation process and efforts to identify all components in the infection chain. [12] [13]

December 27, 2023: At the Chaos Communication Congress, a report is presented on the complete attack chain and the four vulnerabilities used in the attack, including undocumented features of Apple processors. [14] [15] [16] [17] [18]

December 28, 2023: Hacker Hector Martin learns about the use of undocumented features of Apple processors in Operation Triangulation and shares known information about their possible mechanisms and purposes. [19]

Technical details

Operation Triangulation is unprecedented in its technical complexity for iOS attacks: the infection chain consists of 14 steps, using four zero-day vulnerabilities and undocumented hardware features of Apple processors. All known attacks targeted iOS versions up to 15.7.x, but the techniques are effective up to iOS 16.2. [20]

When a specially crafted iMessage is received by an iPhone, the malicious code is launched. This message is invisible to the user. Additional components are then downloaded from the command servers of Operation Triangulation, granting elevated privileges on the device, and deploying spyware with extensive access to the device's contents and functions.

Device infection

The initial infection is carried out through an invisible iMessage. The malicious iMessage attachment, packaged as a .watchface (a watch screen design – essentially a ZIP file with an embedded PDF), executes a code that opens Safari in the background, which then loads the next components of the infection chain from a web page.

The web page contains a validator script that analyzes the parameters of the infected smartphone and decides whether to continue the infection. Canvas fingerprinting technology, which draws a triangle on the web page, is used to uniquely identify victims. This triangle gives its name to the entire campaign.

The attack exploits the CVE-2023-41990, CVE-2023-32434 and CVE-2023-38606 zero-day vulnerabilities in these stages.

After passing a check, the script on the web page additionally exploits the CVE-2023-32435 vulnerability and loads binary code into the device's memory, gaining root privileges and performing a more detailed check of the smartphone to match the attackers' interests. This binary validator also deletes traces of the received iMessage and loads the main malicious implant, TriangleDB.

The malware operates only in the smartphone's memory, so it is erased after a reboot. The attackers can then resend the iMessage and re-infect the victim.

Undocumented Apple feature

To bypass the memory protections in recent generations of Apple processors (A12–A16), the exploit for the CVE-2023-38606 kernel vulnerability uses undocumented hardware features of the processors.

The exploit writes to MMIO registers, which are not described in the documentation and are not used by iOS applications or the iOS operating system itself. As a result, the exploit code can modify the hardware-protected area of the iOS kernel memory. Kaspersky researchers have suggested that this mechanism was probably created to debug the processor itself. [17] [18]

Some experts believe that "very few, if any, outside of Apple and chip suppliers like ARM Holdings" could know about this feature. [21]

Hector Martin described a possible exploitation mechanism based on direct memory cache writes, which makes it possible to bypass its protection mechanisms in some cases. [19]

Functions of the TriangleDB implant

The TriangleDB malware has a modular structure, so its functions can be extended by downloading additional modules from the server.

The basic version can upload files from the device to the attackers' server, extract data from the keychain, track the victim's geolocation, and modify files and processes on the smartphone. [7]

Known additional modules support prolonged microphone recording (including in airplane mode), executing queries to databases stored on the device, and stealing chats from WhatsApp and Telegram. [21] [12]

Detection and removal methods

Blocking updates

A telltale sign of smartphone infection caused by the Operation Triangulation malware is the inability to update iOS to a newer version. However, some infected devices have continued to update normally. [22]

iTunes backup analysis

Traces of infection can be found in system files on the iPhone. Since these files are not accessible on the iOS device itself, a backup of the iPhone is made through iTunes on a computer and then analyzed. The triangle_check utility is used for analysis. [3] [4] [23]

Network connection analysis

The malicious code of Operation Triangulation establishes connections with the attackers' servers, and a list has been made publicly available. [2]

Removing the infection

For fully compromised devices, researchers recommend the following sequence of actions to prevent reinfection: factory reset, disable iMessage, and update iOS to a newer version. [2]

Attribution

Kaspersky has not made any official statements about the origin of the attack, nor has it attributed it to any hacker group or country.

However, on June 1, 2023, the Russian Federal Security Service (FSB) issued a statement about the discovery of malware affecting Apple mobile phones, using "software vulnerabilities provided by the manufacturer". The FSB also directly accused Apple of collaborating with the NSA. The statement indicated that several thousand phones were infected, including those outside Russia in NATO countries, the post-Soviet space, Israel, Syria and China. [24] [25]

Apple issued a statement on the same day, denying these accusations. [26]

The FSB and Kaspersky made independent statements. However, some experts believe that both are referring to Operation Triangulation. [27] [28] [29] [30]

Consequences

Apple publicly denied accusations of collaborating with intelligence agencies to implant backdoors. [26]

The company released several update packages to fix the iOS vulnerabilities targeted by Operation Triangulation. [31]

In July–August 2023, it became known that the use of Apple smartphones and tablets for official purposes was banned in several Russian governmental and commercial organizations, including the Ministry of Digital Development, Ministry of Industry and Trade, Ministry of Transport, Federal Tax Service and Russian Railways. Later in 2023, the Central Bank and the Ministry of Emergency Situations took the same decision. [32]

In September 2023, it was revealed that the Chinese government had decided to expand its ban on iPhone use to include not only government employees but also state-controlled companies. [33]

In 2024, South Korea's Ministry of National Defense announced a ban on iPhones for security reasons, while Android phones were not banned. [34]

Evaluations and public reception

The exploit code in Operation Triangulation has been called the most complex in history. [21]

The most remarkable features of the attack are the attackers' knowledge of undocumented Apple chip capabilities and the use of four zero-day vulnerabilities in a single attack. [35]

Cryptographer Bruce Schneier described the attack as "absolutely crazy in sophistication" and "nation-state stuff". [36]

Elon Musk also expressed interest in the complexity of the attack and possible defense methods. [37]

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Cabir (computer worm)</span> First mobile phone worm

Cabir is the name of a computer worm developed in 2004 that is designed to infect mobile phones running Symbian OS. It is believed to be the first computer worm that can infect mobile phones. When a phone is infected with Cabir, the message "Caribe" is displayed on the phone's display, and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals.

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

<span class="mw-page-title-main">JailbreakMe</span> Series of iOS jailbreaks

JailbreakMe is a series of jailbreaks for Apple's iOS mobile operating system that took advantage of flaws in the Safari browser on the device, providing an immediate one-step jailbreak, unlike more common jailbreaks, such as Blackra1n and redsn0w, that require plugging the device into a computer and running the jailbreaking software from the desktop. JailbreakMe included Cydia, a package management interface that serves as an alternative to the App Store. Although it does not support modern devices, the websites remain available for compatible devices.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Careto, sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. Kaspersky believes that the creators of the malware were Spanish-speaking.

<span class="mw-page-title-main">Juice jacking</span> Mobile security risk

Juice jacking is a theoretical type of compromise of devices like smartphones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data. As of April 2023 there have been no credible reported cases of juice jacking outside of research efforts.

Pegasus is a spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists. The sale of Pegasus licenses to foreign governments must be approved by the Israeli Ministry of Defense.

NetTraveler or TravNet is spyware that dates from 2004 and that has been actively used at least until 2016, infecting hundreds of often high-profile servers in dozens of countries.

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.

Stalkerware is monitoring software or spyware that is used for cyberstalking. The term was coined when people started to widely use commercial spyware to spy on their spouses or intimate partners. Stalkerware has been criticized because of its use by abusers, stalkers, and employers.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

MoonBounce is a UEFI firmware-based rootkit. It is linked to Chinese APT41 hacker group. MoonBounce was discovered by the researchers at Kaspersky in 2021. It can disable Windows security tools and bypass User Account Control.

References

  1. https://www.washingtonpost.com/technology/2023/06/21/apple-hacks-russia-kaspersky-nsa
  2. 1 2 3 "Operation Triangulation: iOS devices targeted with previously unknown malware". securelist.com. June 1, 2023.
  3. 1 2 "New tool scans iPhones for 'Triangulation' malware infection". BleepingComputer.
  4. 1 2 "Tool to find the Operation Triangulation traces". securelist.com. June 2, 2023.
  5. "KasperskyLab/triangle_check". September 29, 2024 via GitHub.
  6. News, The Hacker. "New Report Exposes Operation Triangulation's Spyware Implant Targeting iOS Devices". The Hacker News.{{cite web}}: |last= has generic name (help)
  7. 1 2 "Dissecting TriangleDB, a Triangulation spyware implant". securelist.com. June 21, 2023.
  8. "About the security content of iOS 16.5.1 and iPadOS 16.5.1". Apple Support.
  9. "About the security content of iOS 15.7.8 and iPadOS 15.7.8". Apple Support.
  10. "About the security content of iOS 16.6 and iPadOS 16.6". Apple Support.
  11. "Triangulation: validators, post-compromise activity and modules". securelist.com. October 23, 2023.
  12. 1 2 "Operation Triangulation: Сonnecting the Dots | Igor Kuznetsov". January 25, 2024 via YouTube.
  13. "How Kaspersky obtained all stages of Operation Triangulation". securelist.com. October 26, 2023.
  14. "Lecture: Operation Triangulation: What You Get When Attack iPhones of Researchers | Wednesday | Schedule 37th Chaos Communication Congress". fahrplan.events.ccc.de.
  15. "Operation Triangulation". December 27, 2023 via media.ccc.de.
  16. "iOS security report details 'most sophisticated' iPhone attack ever". Macworld.
  17. 1 2 "iPhone Triangulation attack abused undocumented hardware feature". BleepingComputer.
  18. 1 2 "Operation Triangulation: The last (hardware) mystery". securelist.com. December 27, 2023.
  19. 1 2 "Hector Martin (@marcan@treehouse.systems)". Treehouse Mastodon. December 28, 2023.
  20. Mascellino, Alessandro (October 26, 2023). "Operation Triangulation iOS Attack Details Revealed". Infosecurity Magazine.
  21. 1 2 3 Goodin, Dan (December 27, 2023). "4-year campaign backdoored iPhones using possibly the most advanced exploit ever". Ars Technica.
  22. "Triangulation: Trojan for iOS". www.kaspersky.com. June 1, 2023.
  23. "Releases · KasperskyLab/triangle_check". GitHub.
  24. "Подробная информация :: Федеральная Служба Безопасности". www.fsb.ru.
  25. https://www.reuters.com/technology/russias-fsb-says-us-nsa-penetrated-thousands-apple-phones-spy-plot-2023-06-01/
  26. 1 2 https://www.reuters.com/technology/apple-denies-surveillance-claims-made-by-russias-fsb-2023-06-01
  27. Goodin, Dan (June 1, 2023). ""Clickless" iOS exploits infect Kaspersky iPhones with never-before-seen malware". Ars Technica.
  28. https://www.washingtonpost.com/technology/2023/06/01/russia-iphone-hack-kaspersky
  29. https://safe-surf.ru/upload/ALRT/ALRT-20230601.1.pdf
  30. https://safe-surf.ru/specialists/news/693258
  31. "About the security content of iOS 16.4 and iPadOS 16.4". Apple Support.
  32. "Смартфоны Apple запретили использовать в служебных целях. Какая мобильная экосистема может прийти им на смену?". Российская газета. August 13, 2023.
  33. "Apple faces partial iPhone ban in China". euronews. September 7, 2023.
  34. Joo-young, Hwang (April 23, 2024). "[Exclusive] Korean military set to ban iPhones over 'security' concerns". The Korea Herald.
  35. ""Triangulation" iPhone spyware used Apple hardware exploits unknown to almost everyone". TechSpot. December 30, 2023.
  36. "New iPhone Exploit Uses Four Zero-Days - Schneier on Security". www.schneier.com. 4 January 2024.
  37. Olinga, Luc (June 2, 2023). "Elon Musk Flags Sophisticated Attack Against Apple's iPhones". TheStreet.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.