Deep Dive — Operation Triangulation
TL;DR — Kaspersky labs have discovered that they, and Russian government officials, were targeted by very advanced iOS malware that completely took over iOS devices for the last 4 years. Apple have patched all the exploited vulnerabilities, regular users were not targeted, and Kaspersky say there is not enough evidence to link the exploit to any particular group or government.
The Ars Technica Writeup by Dan Goodin linked below gives the best-detailed summary I have read, so I won’t try duplicating it, instead, I want to highlight the key facts we know:
- The attacks were in use and went undetected for 4 years
The attacks were very tightly targeted to keep them secret for as long as possible, this is why regular users don’t need to worry.
The attacks were delivered via iMessage, and the malware was able to infect the device without any user interaction, i.e. they were zero-click
The attacks did not survive a reboot, but victims were regularly re-infected with fresh malicious iMessages
Because of how many layers of security Apple have added to iOS, the attackers needed four zero-day vulnerabilities to work around Address Space Layout Randomisation and hardware kernel protections — a bug in TrueType, a kernel bug, a previously unknown un-documented hardware feature/bug, and a Safari bug
The hardware feature/bug is the most mysterious, here is what Kaspersky concluded:
“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake”
- Apple have patched all four vulnerabilities, including the hardware bug
Security researchers are describing this as the most advanced attack they have ever seen, so this is clearly a big operation backed by very substantial resources, so probably a nation-state or a group of nation-states, but no one knows who. This is the most Kaspersky would conclude:
“Currently, we cannot conclusively attribute this cyberattack to any known threat actor … The unique characteristics observed in Operation Triangulation don’t align with patterns of known campaigns, making attribution challenging at this stage”
More details may emerge as time goes on, but for now, any claims that a specific government or group were responsible, or any assertions that Apple did this intentionally are pure speculation, so don’t fall for the click-bait.
Also note that the fact that this was so difficult to pull off proves how hard Apple are working to harden the iPhone.
Finally, remember that the probability than any NosillaCastaway was in any way affected by these vulnerabilities is so low as to be effectively zero — billion dollar exploits are not wasted on regular folk like us!
- An excellent writeup from Dan Goodin: 4-year campaign backdoored iPhones using possibly the most advanced exploit ever — arstechnica.com/…
- The original report from Kaspersky: Operation Triangulation: The last (hardware) mystery — securelist.com/…
❗ Action Alerts
- Patch now: Update Chrome to fix 8th zero-day of 2023 — www.intego.com/…
- Apple has released macOS Sonoma 14.2.1 which contains one security fix — www.intego.com/…
- A good reminder why software piracy is dangerous: Fake VPN Chrome extensions force-installed 1.5 million times — www.bleepingcomputer.com/…
According to ReasonLabs, which discovered the malicious extensions, they are spread via an installer hidden in pirated copies of popular video games like Grand Theft Auto, Assassins Creed, and The Sims 4, which are distributed from torrent sites.
- EasyPark discloses data breach that may impact millions of users — www.bleepingcomputer.com/…
- No passwords or full payment details, but names, addresses, and partial credit/debit card numbers or IBANs — biggest risk is automated targeted and convincing phishing
- An interesting detail is how customers are being notified — with in-app notifications (if you think you might be affected, just open the app, and if you are, it will tell you so)
- Free iCloud storage scams seem to be on the rise, possibly because attackers know Santa delivered a lot of new iOS devices recently: Don’t fall for “iCloud FREE Storage Notice” email scams — www.intego.com/…
An example of a trend in modern ransomware attacks we should be aware of — ransoming the exposed users when the company doesn’t pay up: Integris Health patients get extortion emails after cyberattack — www.bleepingcomputer.com/… (OK’s biggest not-for-profit healthcare network)
Google Chrome’s Safety Check feature is being expanded and will run automatically in the background on desktop versions of the browser — www.bleepingcomputer.com/…
Safety Check compares login credentials against those exposed in data leaks. It also checks for weak and easy-to-guess passwords that expose users to brute-force attacks or password-cracking attempts.
Google will broaden Safety Check’s functionality to automatically revoke permissions, such as access to the users’ location or microphone, for websites that haven’t been visited for a long time
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
|A link to audio content, probably a podcast.
|A call to action.
|The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
|A link to graphical content, probably a chart, graph, or diagram.
|A story that has been over-hyped in the media, or, “no need to light your hair on fire”
|A link to an article behind a paywall.
|A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
|A tip of the hat to thank a member of the community for bringing the story to our attention.