CISA Directs Federal Agencies to Address iPhone Vulnerabilities Exploited by Triangulation Spyware

June 23, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed federal agencies to address recently patched iPhone security vulnerabilities that have been exploited by the Triangulation spyware. The directive follows a report by Kaspersky that detailed a component of the Triangulation malware used in a campaign called Operation Triangulation. The cybersecurity firm discovered the spyware on iPhones belonging to its Moscow-based employees and others from different countries. The attacks, which began in 2019 and are still ongoing, leverage iMessage zero-click exploits that take advantage of the patched iOS zero-day vulnerabilities.

Russia's FSB intelligence agency has also accused Apple of collaborating with the NSA to create a backdoor, allowing the infiltration of iPhones in Russia. The FSB claims to have found thousands of infected iPhones owned by Russian government officials and embassy staff in Israel, China, and NATO member nations. An Apple spokesperson refuted the allegations, stating, "We have never worked with any government to insert a backdoor into any Apple product and never will." Apple acknowledged the issue, saying, "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7." The company was referring to the Kernel and WebKit vulnerabilities (CVE-2023-32434 and CVE-2023-32435) exploited in the attacks.

Apple also addressed a WebKit zero-day vulnerability (CVE-2023-32439) this week, which could allow attackers to execute arbitrary code on unpatched devices. CISA flagged this flaw as actively exploited as well. The list of affected devices is extensive, including both older and newer models. Following the patching of the exploited zero-days, Apple sent another round of threat notifications alerting customers they were targeted in state-sponsored attacks. However, the incidents these new warnings refer to remain unclear, according to CNN reporter Chris Bing.

CISA added another vulnerability to its known exploited vulnerabilities (KEV) list: a critical pre-authentication command injection bug (CVE-2023-27992) that can enable unauthenticated attackers to execute operating system commands on Internet-exposed Network-Attached Storage (NAS) devices left unpatched. Zyxel advised customers on Tuesday to secure their NAS devices for optimal protection, following attacks on Zyxel firewalls and VPN products by Mirai-based botnets. CISA also included a VMware ESXi vulnerability (CVE-2023-20867) in its KEV catalog, which was exploited by Chinese-backed hacking group UNC3886 to backdoor Windows and Linux virtual machines in data theft attacks.

U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to patch all security vulnerabilities added to CISA's KEV catalog within a specified timeframe, as per a binding operational directive (BOD 22-01) issued in November 2022. Following the latest update, federal agencies have been instructed to secure vulnerable devices against the flaws included today by June 14th, 2023. While BOD 22-01 primarily targets U.S. federal agencies, it is strongly recommended that private companies also prioritize addressing the vulnerabilities outlined in CISA's KEV list, which includes bugs known to be exploited in attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.