If you think iOS devices are tamper-proof, you might be mistaken because Operation Triangulation has proved otherwise. The novel ‘zero-click’ compromise uses stealthy root privilege malware to hack into iOS systems indicating the need for enhanced cybersecurity measures for iPhones as well.
iOS users beware – Operation Triangulation, a previously unknown APT targeting iOS devices, is here. Since the targets get infected using zero-click exploits through the iMessage Platform, users do not have any control over their devices.
Kaspersky says the malware gains absolute control of the device and user data because it runs with root privileges. Kaspersky adds that it discovered the traces of compromised iOS devices from their offline backups.
How Did the Attack Originate?
The iOS device receives a message containing an attachment bearing the malicious code. Since the exploit falls under the zero-click category, the vulnerability gets triggered without any interaction from the user side. The code execution happens automatically once the message arrives on the device.
The malicious exploit has highly advanced configurations, enabling it to retrieve additional payloads for privilege escalation. Kaspersky has said it can drop a final stage malware from a remote server that acts as a fully featured APT platform.
Since the implant runs with root privileges, it can harvest sensitive information and run code downloaded as plugin modules from the server. In addition, the malware can transmit private information to remote servers. It includes microphone recordings, geolocation information, critical data about other activities on the device, and even photos from instant messengers.
The most critical aspect of this spyware is that it auto-deletes the initial message and traces of the exploit in its final phase to avoid detection. Kaspersky added that since the malicious toolset does not support persistence because of iOS’s limitations, multiple affected devices could have gotten reinfected after rebooting, as indicated by their timelines.
Image sourced from digitalinformationworld.com
The Scope of the Attack
Kaspersky has mentioned that it needs to be clarified about the precise scale and scope of the campaign. However, it maintains that the attacks are ongoing, especially with penetrations observed in devices running iOS 15.7, a recently released iOS version.
It also requires clarification on whether the attack vector is exploiting a ‘zero-day vulnerability,’ i.e., a flaw attackers detect in the system before the original developer – which, in this case, is Apple – becomes aware of it. iOS released its latest update, 16.5, recently. Apple had also released another update, 15.7.6, last month.
International Impact
Kremlin has accused the US intelligence agencies of purposely compromising thousands of Apple devices belonging to domestic Russian subscribers and international diplomats using unknown pathways as a part of a reconnaissance operation. Russia’s FSB (Federal Security Service) has issued an advisory coinciding with Kaspersky’s findings.
FSB also alleges close cooperation between the NSA (National Security Agency) and Apple with an intent to target Russian iOS devices. However, Apple has categorically stated that it has never worked clandestinely or will ever do so with any governmental organization to insert a backdoor into its products.
But the Russian Ministry of Foreign Affairs does not think so because they feel that US intelligence agencies have used IT corporate giants for decades to spy on the personal information of internal users of other countries without their knowledge. However, the allegation this time is that they have exploited the vulnerabilities in US-made iPhones and other devices running on iOS.
Kaspersky corroborates that the two activities could be related because they overlap in the IoCs (indicators of compromise) released by RU-CERT.
Final Words
Kaspersky concludes that Operation Triangulation is a highly complex, professionally targeted cyberattack because the targets include several iPhones belonging to senior-level officials. Nevertheless, the actual extent of exposure of this supposed espionage campaign has yet to be ascertained.