Image: Mia Baker (unsplash)
Kaspersky, a cybersecurity firm in Russia, has reported that multiple iPhones within their network have been compromised by a zero-click exploit through iMessage, utilizing an undisclosed iOS vulnerability to install malware.
This exploit transmits a message, effectively manipulating a security gap that triggers code execution sans user interaction. This event subsequently facilitates the download of further malicious files from the source server. The message, along with its attachment, are subsequently erased from the victimized device, leaving the malicious payload to run on root privileges, collecting system and user data while executing commands on behalf of the originators of the attack.
Kaspersky reports that this hacking campaign, named “Operation Triangulation”, initiated in 2019 and has not yet ceased. The firm has called for anyone with more information about this operation to come forward.
Investigating the Malware
Given the constraints around analyzing iOS from within the device, Kaspersky employed the Mobile Verification Toolkit, crafting filesystem backups of the affected iPhones in an effort to uncover more about the attack’s method and the malware’s operation.
Even though the malware endeavours to obliterate any evidence of the attack on devices, signs of infection persist, such as system file modifications inhibiting iOS updates, irregular data usage, and the injection of obsolete libraries.
This investigation has indicated that the first signs of infection appeared in 2019, with the most recent attack impacting iOS version 15.7. However, the latest iOS release, 16.5, may have already resolved the vulnerability that was being exploited.
The exploit, delivered via iMessage, activates an unidentified vulnerability in iOS, leading to code execution and fetching subsequent stages from the attacker’s server, including privilege escalation exploits.
The cybersecurity firm has publicized a list of 15 domains that are associated with this malicious activity, which security administrators can utilize to investigate historical DNS logs for potential signs of exploitation on their devices.
Once root privileges have been escalated, the malware then downloads a full-featured toolset that initiates commands to collect system and user information and to download additional modules from the C2.
It’s important to note that the APT toolset dropped onto the device lacks persistence mechanisms, and a simple reboot would be enough to halt it. At the moment, only a few details about the malware’s functionality have been disclosed, as the analysis of the final payload is still ongoing.
Russian Accusations Against the NSA
Russia’s FSB intelligence and security agency simultaneously issued a statement in alignment with Kaspersky’s report, implying that Apple had knowingly furnished the NSA with a backdoor mechanism which could be used to infiltrate Russian iPhones with spyware.
The FSB has claimed that they discovered malware infections on thousands of Apple iPhones belonging to Russian government officials and staff from the Israeli, Chinese, and several NATO member nation embassies within Russia. However, no evidence has been provided to substantiate these allegations.
The Russian government has previously advised all members and employees of the presidential administration to avoid using Apple iPhones and, if feasible, to abandon American-made technology altogether.
Kaspersky has verified to BleepingComputer that their Moscow headquarters and staff in other countries were impacted by this attack, yet clarified they are unable to corroborate a connection between their findings and the FSB report due to the absence of technical details from the government investigation.
However, a connection between the FSB statement and Kaspersky’s report was noted in an alert issued by Russia’s CERT.
Apple has been approached by BleepingComputer to respond to both Kaspersky’s findings and the FSB’s allegations, although a response is still pending.