The campaign used two zero-click iMessage exploits and compromises without any user interactions based on a pair of bugs respectively in the kernel and Webkit.
Apple has attributed the discovery of these vulnerabilities to Kaspersky Labs just two weeks after the Russian cybersecurity firm reported discovering an advanced persistent threat (APT) actor launching zero-click iMessage exploits on Russian iOS devices.
Apple patches are vulnerable including the latest versions
Apple characterised the exploited vulnerabilities as problems related to memory corruption within the kernel (CVE-2023-32434), which enables an application to execute arbitrary code with kernel privileges, and an issue identified in WebKit (CVE-2023-32435), which allows code execution through web content.
To address these issues the company has rolled out patches in the latest updates of its operating systems iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, and iPadOS 15.7.7.
The fixes have been released both for the latest version (iOS 16.5.1) and the original vulnerable version (before iOS 15.7). Apple noted that the attacks have only been seen on devices running iOS versions older than iOS 15.7.
Other than iPhones and iPads, patches for macOS and watchOS were also released.
Exploits linked to alleged US Spy Campaign
Earlier this month, Kaspersky reported the APT attack, codenamed Operation Triangulation, using zero-click iMessage exploits on its corporate iOS devices.
The disclosure came on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign that allegedly targeted a huge number of iOS devices belonging to foreign diplomats as well as domestic users.
An Apple spokesperson denied the company's involvement in the campaign in a SecurityWeek article, saying, “We have never worked with any government to insert a backdoor into any Apple product and never will.”
Kaspersky found spyware running REGEX matches
The spyware used in Operation Triangulation, according to Kaspersky, targeted iPhones via iMessages with a malicious attachment that carried an exploit for an RCE vulnerability.
The code used in the exploit additionally downloads extra elements to acquire root privileges on the targeted device. Once achieved, a spyware implant named TriangleDB, as identified by Kaspersky, is deployed in the device’s memory, and the initial iMessage is erased.
The implant lacks a persistence mechanism, meaning that if the targeted device is restarted, the entire chain of exploitation must be initiated again to re-infect the device.
“If no reboot occurs, the implant will automatically uninstall itself after 30 days, unless the attackers extend this period,” Kaspersky added.
The spyware monitored the infected device for folder changes with names matching specified regular expressions and exfiltrated queued matches. Identified artifacts suggested the threat actor might also be targeting macOS devices with a similar implant, Kaspersky said.