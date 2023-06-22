



Apple has released emergency patches for two new zero-day vulnerabilities in its software. An APT (Advanced Persistent Threat) attacker used this vulnerability to deploy malware in his ongoing iOS espionage campaign called “Operation Triangulation.”

Meanwhile, on Wednesday Kaspersky released a new report providing additional details about the TriangleDB spyware implant used in the campaign. The report was flagged as containing many oddities, including disabled features that may be rolled out in the future.

According to the company, analysis has shown that at this point the malware can perform a variety of functions, including creating, modifying, deleting, and stealing files, listing and terminating processes, harvesting credentials from the victim’s keychain, and monitoring location. It was shown to support 24 functional commands that serve the purpose.

“Features that we found particularly important are the ability to read arbitrary files on an infected device, extract passwords from the victim’s keychain, and track geolocation of the device,” says Zero-Day Bug. Georgy Kucherin, one of the Kaspersky security researchers who discovered What Apple revealed this week.

zero day trio

One newly resolved security vulnerability (CVE-2023-32434) affects multiple iOS versions and gives attackers a means to execute arbitrary code with kernel-level privileges on iPhones and iPads. give. Another vulnerability (CVE-2023-32439) exists in Apple’s WebKit browser that could allow arbitrary code execution via maliciously crafted web content. Apple issued an update on June 21, 2023 that addresses both vulnerabilities.

These two bugs are part of three Apple zero-day sets that Kaspersky researchers have discovered so far while investigating Operation Triangulation. The investigation began about seven months ago when the security firm discovered dozens of iOS devices behaving suspiciously on its internal Wi-Fi network.

In early June, the company released a report on its initial analysis of malicious activity. At the time, Kaspersky explained that the attacker likely exploited multiple vulnerabilities in his Apple software to deliver the TriangleDB spyware implant to his iOS devices owned by the targeted iOS users. Did. The company’s researchers identified the first flaw as he CVE-2022-46690. This is an out-of-bounds problem that allows applications to execute arbitrary code at the kernel level. Kaspersky said the malware itself runs with root privileges and can execute arbitrary code on the affected device and implement a set of commands to gather system and user information.

Kucherin said reading files on an infected device would give the attacker access to a database containing sensitive information such as photos, videos and emails, as well as conversations from Messenger apps. TriangleDB’s keychain dumping feature allows an attacker to collect a victim’s password and use it to gain access to various accounts owned by the victim.

TriangeDB Exhibits Strange Spyware Behavior

Somewhat bizarrely, the implant asks the operating system (on the infected device) for multiple permissions without showing a clear way to use the information, Kucherin said. Examples of permissions requested by malware but not currently in use include access to the microphone, camera, and address book.

“These functions may be implemented in the future in auxiliary modules that can be loaded by implants,” he said.

Another key finding Kaspersky made when analyzing TriangleDB was the fact that the attackers behind the malware were also looking at targeted macOS users. “Perhaps the most interesting discovery is the ‘populateWithFieldsMacOSOnly’ method found on the implant,” he says Kucherin. “Its presence means that similar implants can target not only his iOS device but also his Mac computer.”

Kaspersky claims it suffered targeted attacks, but that’s probably not all. Russia’s Federal Security Service (FSB) intelligence agency has claimed, without providing any evidence, that the US National Security Agency (NSA) is probably behind the malware and espionage campaign in collusion with Apple. The agency accused the two of installing spyware on thousands of iOS devices owned by Russian diplomats and individuals linked to Russia, who are alleged to have interests in the US government. In a tone reminiscent of US accusations against Russia and China, the Russian Foreign Ministry said the iOS spyware campaign was part of a decades-long effort to collect “massive data of internet users” without permission or knowledge. bottom.

Both the NSA and Apple have denied these claims.

Kaspersky has released a utility called triangle_check that organizations can use to search for signs that spyware is embedded in iOS devices.

