Apple addressed three new zero-day vulnerabilities exploited in attacks installing Triangulation spyware on iPhones via iMessage zero-click exploits.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7,” the company says when describing Kernel and WebKit vulnerabilities tracked as CVE-2023-32434 and CVE-2023-32435.
The two security flaws were found and reported by Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin.
Kaspersky also published a report earlier today with additional details on an iOS spyware component used in a campaign the cybersecurity company tracks as “Operation Triangulation.”
“The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted,” Kaspersky said today.
“Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.”
Used by U.S. state hackers per FSB claims
The attacks started in 2019 and are still ongoing, according to Kaspersky, who reported in early June that some iPhones on its network were infected with previously unknown spyware via iMessage zero-click exploits that exploited iOS zero-day bugs.
Kaspersky told BleepingComputer that the attack impacted its Moscow office and employees in other countries.
Russia’s FSB intelligence and security agency also claimed after Kaspersky’s report was published that Apple provided the NSA with a backdoor to help infect iPhones in Russia with spyware.
The FSB claimed it found thousands of infected iPhones belonging to Russian government officials and staff from embassies in Israel, China, and NATO member countries.
“We have never worked with any government to insert a backdoor into any Apple product and never will,” an Apple spokesperson told BleepingComputer.
Apple also patched today a WebKit zero-day vulnerability (CVE-2023-32439) reported by an anonymous researcher that can let attackers gain arbitrary code execution on unpatched devices by exploiting a type confusion issue.
The company addressed the three zero-days in macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1 with improved checks, input validation, and state management.
The list of affected devices is quite extensive, as the zero-day affects older and newer models, and it includes:
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- Macs running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE
Nine zero-days patched since the start of the year
Since the start of the year, Apple has patched a total of 9 zero-day vulnerabilities that were exploited in the wild to compromise iPhones, Macs, and iPads.
Last month, the company fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), the first reported by Google Threat Analysis Group and Amnesty International Security Lab researchers and likely used to install commercial spyware.
In April, Apple fixed two other zero-days (CVE-2023-28206 and CVE-2023-28205) that were deployed as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws, and abused to deploy mercenary spyware on devices belonging to high-risk targets worldwide.
In February, Apple addressed another WebKit zero-day (CVE-2023-23529) exploited in attacks to gain code execution on vulnerable iPhones, iPads, and Macs.