Apple Patches Zero-Days Exploited to Deploy Triangulation Spyware via iMessage
June 21, 2023
Apple has fixed three new zero-day vulnerabilities that were exploited in attacks to install the Triangulation spyware on iPhones through iMessage zero-click exploits. The company stated, "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7." The Kernel and WebKit vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were discovered and reported by Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin.
Kaspersky also released a report providing more information on an iOS spyware component used in a campaign they track as "Operation Triangulation." The cybersecurity firm explained, "The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted." The report further stated that if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, launching the whole exploitation chain again. If no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.
According to Kaspersky, the attacks began in 2019 and are still ongoing. In early June, the company reported that some iPhones on its network were infected with previously unknown spyware via iMessage zero-click exploits that took advantage of iOS zero-day bugs. Kaspersky revealed that the attack impacted its Moscow office and employees in other countries. Russia's FSB intelligence and security agency also claimed that Apple provided the NSA with a backdoor to help infect iPhones in Russia with spyware. The FSB alleged it discovered thousands of infected iPhones belonging to Russian government officials and staff from embassies in Israel, China, and NATO member countries. In response to these claims, an Apple spokesperson stated, "We have never worked with any government to insert a backdoor into any Apple product and never will."
Apple also patched a WebKit zero-day vulnerability (CVE-2023-32439) reported by an anonymous researcher, which could allow attackers to execute arbitrary code on unpatched devices by exploiting a type confusion issue. The company addressed the three zero-days in macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1 with improved checks, input validation, and state management. The list of affected devices includes both older and newer models.
Since the beginning of the year, Apple has patched a total of 9 zero-day vulnerabilities that were exploited in the wild to compromise iPhones, Macs, and iPads. Last month, the company fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), the first of which was reported by Google Threat Analysis Group and Amnesty International Security Lab researchers and likely used to install commercial spyware. In April, Apple addressed two other zero-days (CVE-2023-28206 and CVE-2023-28205) that were part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws, and used to deploy mercenary spyware on devices belonging to high-risk targets worldwide. In February, Apple fixed another WebKit zero-day (CVE-2023-23529) that was exploited in attacks to gain code execution on vulnerable iPhones, iPads, and Macs.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.