Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

bogdanw

macrumors 603
Original poster
Mar 10, 2009
6,256
3,125
Kaspersky:
“While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we noticed suspicious activity that originated from several iOS-based phones.”
“What we know so far
...
This allowed to move the research forward, and to reconstruct the general infection sequence:
  • The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.
  • Without any user interaction, the message triggers a vulnerability that leads to code execution.
  • The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation.
  • After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.
  • The initial message and the exploit in the attachment is deleted"
" The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7."

https://securelist.com/operation-triangulation/109842/
 
Kaspersky official blog - Triangulation: Trojan for iOS
https://www.kaspersky.com/blog/triangulation-attack-on-ios/48353/
"We are quite confident that Kaspersky was not the main target of this cyberattack. The coming days will bring more clarity and further details on the worldwide proliferation of the spyware.

We believe that the main reason for this incident is the proprietary nature of iOS. This operating system is a “black box” in which spyware like Triangulation can hide for years. Detecting and analyzing such threats is made more difficult by Apple’s monopoly of research tools, making it the perfect haven for spyware. In other words, as I have said more than once, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to the cybersecurity experts. The absence of news about the attacks does not at all indicate the impossibility of the attacks themselves – as we have just seen."
 
Ars Technica - <“Clickless” iOS exploits infect Kaspersky iPhones with never-before-seen malware>
https://arstechnica.com/information...ersky-iphones-with-never-before-seen-malware/
" An Apple representative noted there's no indication in Kaspersky's account that any of the exploits work on iOS versions later than 15.7."
"In an email, an Apple representative denied the allegation, stating: "We have never worked with any government to insert a backdoor into any Apple product and never will.”
 
As it turns out, all Apple OSs were vulnerable
"Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description: An integer overflow was addressed with improved input validation.
CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky"

CVE-2023-32434 fixed in
iOS 16.5.1 and iPadOS 16.5.1
iOS 15.7.7 and iPadOS 15.7.7
macOS Ventura 13.4.1
macOS Monterey 12.6.7
macOS Big Sur 11.7.8
watchOS 9.5.2
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.