A discovery by experts has revealed that Operation Triangulation, which targets Apple iOS devices, made use of an undocumented hardware feature. Researchers from Kaspersky, a Russian cybersecurity firm, uncovered that the perpetrators behind Operation Triangulation capitalized on an undocumented hardware feature to target Apple iOS devices.
The revelation came in early June when Kaspersky identified a previously unknown APT group engaged in targeting iOS devices through zero-click exploits as part of a long-standing campaign known as Operation Triangulation.
Monitoring their own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), experts detected the attack.
According to Kaspersky researchers, Operation Triangulation has been active since at least 2019 and continues to operate.
The attack sequence begins with a message sent via the iMessage service to an iOS device, containing an attachment with an exploit. This message triggers a remote code execution vulnerability without requiring any user interaction (zero-click).
Shortly after Kaspersky disclosed their findings, Russia’s FSB accused US intelligence agencies of orchestrating the attacks on iPhones. Russian intelligence claims that thousands of iOS devices belonging to domestic subscribers, diplomatic missions, and embassies have been targeted as part of Operation Triangulation.
The operations primarily aimed at gathering intelligence from diplomats representing NATO countries, Israel, China, and Syria.
FSB alleges that Apple collaborated with US intelligence in this cyber espionage campaign.
Initially, Kaspersky reported that the exploit used in the attack downloads multiple subsequent stages from the command and control (C2) server, including additional exploits for privilege escalation. The final payload, described by Kaspersky as a fully-featured APT platform, is also retrieved from the same C2 server.
Subsequently, both the initial message and the exploit attachment are deleted.
The researchers observed that the malicious toolset lacks persistence, likely due to operating system limitations, potentially allowing devices to be reinfected after rebooting.
The attack successfully targeted iOS 15.7, although analysis of the final payload is ongoing. The malicious code operates with root privileges, supporting various commands for collecting system and user information, and executing arbitrary code downloaded as plugin modules from the C2 server.
In June, Kaspersky announced the completion of a six-month investigation, collecting all components of the attack chain and analyzing the spyware implant, identified as TriangleDB.
The attackers exploit a kernel vulnerability in the implant to gain root privileges on the target iOS device and install the spyware. The implant is deployed directly in memory, but if the victim reboots the device, the malware does not persist. Nevertheless, the implant self-uninstalls after 30 days if the system is not rebooted, although attackers can extend this period.
On December 27, 2023, Boris Larin, Leonid Bezvershenko, and Georgy Kucherin presented their findings on Operation Triangulation at the 37th Chaos Communication Congress (37C3) in Hamburg, titled “Operation Triangulation: What You Get When Attack iPhones of Researchers.” The presentation showcased the results of their investigation conducted with colleagues Igor Kuznetsov, Valentin Pashkov, and Mikhail Vinogradov.
The attack chain relied on exploiting four zero-day vulnerabilities affecting iOS versions up to iOS 16.2. The threat actors sent a specially crafted iMessage attachment, processed by the application without any user notification.
“This attachment exploits the remote code execution vulnerability CVE-2023-41990 in the undocumented, Apple-only ADJUST TrueType font instruction, which had existed since the early nineties before a patch removed it,” reads Kaspersky’s analysis.
Additionally, the attackers exploited an integer overflow vulnerability (CVE-2023-32434) in XNU’s memory mapping syscalls (mach_make_memory_entry and vm_map) to gain read/write access to the device’s entire physical memory at user level.
The attackers also exploited CVE-2023-38606 to bypass the Page Protection Layer (PPL).
The Safari exploit utilizes CVE-2023-32435 to execute a shellcode. The shellcode then executes another kernel exploit in the form of a Mach object file. The shellcode leverages the same vulnerabilities, CVE-2023-32434 and CVE-2023-38606.
The researchers explained that recent iPhone models support additional hardware-based security protection for sensitive areas of kernel memory. However, to bypass this protection, threat actors abused an undocumented hardware feature of Apple-designed SoCs.
“Our guess is that this unknown hardware feature was most likely intended for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake. Because this feature is not used by the firmware, we have no idea how attackers would know how to use it,” continues the experts.
Many peripheral devices within the SoC rely on dedicated hardware registers for CPU operations, linked to CPU-accessible memory (memory-mapped I/O (MMIO)).
The experts noted that most MMIOs used by the threat actors do not belong to any MMIO ranges defined in the device tree. The exploit specifically targets Apple A12–A16 Bionic SoCs, aiming at unknown MMIO blocks of registers.
“This is no ordinary vulnerability, and we have many unanswered questions. We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight,” concludes the report. “What we do know—and what this vulnerability demonstrates—is that advanced hardware-based protections are useless in the face of a sophisticated attacker as long as there are hardware features that can bypass those protections.”
