Unmasking Operation Triangulation: In-depth Analysis of iOS Zero-Day Attacks
October 24, 2023
Kaspersky's investigation into a sophisticated attack on Apple iOS devices, known as Operation Triangulation, has revealed the use of a malicious implant called TriangleDB. This implant is equipped with at least four modules designed to record microphone activity, extract iCloud Keychain details, steal data from various app-based SQLite databases, and estimate the victim's location.
The attack was first identified in June 2023, when it was discovered that iOS devices were being targeted by a zero-click exploit that utilized zero-day security flaws (CVE-2023-32434 and CVE-2023-32435). The exploit used the iMessage platform to deliver a malicious attachment that could gain total control over the device and its user data. The scale and identity of the threat actor remain unknown.
In a technical report published on Monday, Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov stated, "These validators collect various information about the victim device and send it to the C2 server. This information is then used to assess if the iPhone or iPad to be implanted with TriangleDB could be a research device. By performing such checks, attackers can make sure that their zero-day exploits and the implant do not get burned."
The Binary Validator, a Mach-O binary file, is also delivered after a series of steps. The results of its actions are encrypted and sent to a command-and-control (C2) server to fetch the TriangleDB implant. Once the backdoor is established, it communicates with the C2 server and follows commands to delete crash log and database files, thus erasing any trace of the attack.
The implant also receives instructions to periodically exfiltrate files that contain location, iCloud Keychain, SQL-related, and microphone-recorded data. The microphone-recording module is designed to stop recording when the device screen is on, demonstrating the threat actor's intention to remain undetected. The location-monitoring module uses GSM data to estimate the victim's location when GPS data is not available.
Kaspersky's researchers concluded, "The adversary behind Triangulation took great care to avoid detection. The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack."
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Accelerate Security Teams
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.