Kaspersky’s Global Research and Analysis Team (GReAT) revealed their investigation process into Operation Triangulation at the Security Analyst Summit.
Earlier this summer, cybersecurity firm Kaspersky discovered an Advanced Persistent Threat (APT) campaign called “Operation Triangulation” that targeted iOS devices. The campaign was found to utilize a highly sophisticated method of distributing zero-click exploits via iMessage, which ultimately allowed the attackers to gain complete control over the device and the user’s data.
Kaspersky’s GReAT team assessed that the primary goal of this campaign was to conduct covert user surveillance and even Kaspersky’s own staff were potentially affected by the attack. Due to the attack’s complexity and the iOS ecosystem’s closed nature, a cross-team task force dedicated a significant amount of time and resources to conduct a thorough technical analysis.
The company’s experts identified an initial entry point through a font processing library vulnerability. The second, a compelling and trivially exploitable vulnerability in the memory mapping code, allowed access to the device’s physical memory.
Attackers have recently exploited two additional vulnerabilities to bypass the latest Apple processor’s hardware security features. Researchers have also found that, apart from the ability to remotely infect Apple devices through iMessage without user interaction, the attackers also had a platform for conducting attacks via the Safari web browser. This led to the discovery and resolution of a fifth vulnerability.
The Apple team released security updates to address four zero-day vulnerabilities in response. These were discovered by Kaspersky researchers and were assigned CVE numbers: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990. These vulnerabilities affected many Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch.
“Operation Triangulation serves as a reminder to exercise caution when handling iMessage attachments from unfamiliar sources. Drawing insights from the strategies employed in Operation Triangulation can offer valuable guidance. Additionally, finding a balance between system closedness and accessibility may contribute to an enhanced security posture,” shared Boris Larin, Principal Security Researcher at Kaspersky’s GReAT.
To learn more about Operation Triangulation, visit Securelist.com. On their website, Kaspersky will provide more technical details in the future, including a comprehensive analysis.
To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Regularly update your operating system, applications, and antivirus software to patch known vulnerabilities.
- Be cautious of emails, messages, or calls asking for sensitive information. Verify the sender’s identity before sharing any personal details or clicking on suspicious links.
- Provide your SOC team access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky, spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- For endpoint-level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.