"Operation Triangulation" - Details of Sophisticated Attack on Apple iOS
Take action: If there was a great reason to update your iPhone and iPad, it's not to get hacked by simply having an iOS device and receiving a message. Not opening the message, just receiving it. So please patch your devices.
Learn More
Kaspersky's cybersecurity team is reporting an attack iOS phones after detecting suspicious activity through their Kaspersky Unified Monitoring and Analysis Platform. The attack has apparently been active since 2019, and is now named "Operation Triangulation".
A successful attack requires no user interaction at all, only active iMessage service on your iOS device, which makes it a critical attack. The very act of receiving the malicious iMessage, which carries an exploit attachment triggers the vulnerability.
The attack in details
- The attack on iOS devices begins when the target receives a message through iMessage with an attachment containing an exploit. This exploit, designed as a zero-click attack, exploits a vulnerability in the system without any user interaction, executing malicious code.
- The exploit downloads additional stages from a Command and Control server, including exploits for privilege escalation.
- After successfully exploiting the device, a full-fledged APT (Advanced Persistent Threat) platform is downloaded, granting complete control over the device and user data.
- To maintain stealth, the attack deletes the initial message and exploit attachment. Interestingly, the malicious toolset lacks persistence, suggesting limitations imposed by iOS. Devices can be reinfected after a reboot, according to Kaspersky's findings.
Kaspersky noted that the attack has targeted devices running up to iOS 15.7 as of June 2023. It remains uncertain whether an unknown zero-day vulnerability in iOS is being exploited, or the attack relies only on known and patched vulnerabilities.
The investigation into the final payload with root privileges is still ongoing. This malware can collect system and user information and execute arbitrary code downloaded as plugin modules from the Command and Control server.
What to do?
It looks like the attack is exploiting several vulnerabilities that were active in the iOS system up to 15.7, so an update to the latest iOS is still a great first step.
In the meantime - and if your iOS device doesn't support iOS 16, disable iMessage to mitigate Triangulation attacks.
