Kaspersky, a leading cybersecurity firm, has recently disclosed a disconcerting revelation regarding the compromise of numerous iPhones connected to its network. The attackers successfully exploited a zero-click vulnerability in Apple’s iMessage, allowing them to install malware on the devices without requiring any user interaction.
This malicious tactic involves delivering a message that triggers code execution, granting the attackers access to the device. Subsequently, the exploit enables the automatic download of additional harmful content from a server under the attacker’s control.
Disturbingly, the attackers swiftly erase the message and its attachment, leaving no trace, while the payload itself persists with elevated root privileges, collecting valuable system and user data and carrying out the attackers’ commands.
Analyzing the Ongoing Threat: Operation Triangulation
Kaspersky’s relentless efforts to combat cyber threats have led to the tracking of a long-standing campaign named “Operation Triangulation” since 2019. This campaign continues to pose significant threats to iPhone users worldwide. In an endeavor to gather more insights and combat this nefarious activity, Kaspersky encourages individuals with pertinent information about the campaign to come forward and share their knowledge and findings.
Zero-Click iOS Malware Activity Exposed
To gain a deeper understanding of the compromised iPhones and the behavior of the malware, Kaspersky employed the Mobile Verification Toolkit, an invaluable tool that enabled analysis of the attack process and the malware’s actions on infected devices. Without this toolkit, comprehending the attack process and its repercussions would have been near impossible.
Persistent Indications of Infection
Despite the malware’s attempts to cover its tracks, specific signs of infection endure. These include alterations to system files that impede the installation of iOS updates, abnormal data consumption patterns, and the introduction of outdated libraries into the system. Astonishingly, the earliest indications of infection date back to 2019, highlighting the resilience and adaptability of this malicious toolset. Even the most recent iOS version, 15.7, has fallen victim to this threat.
Detecting Implicit Indicators of Infection
During the transmission of the iMessage, the malicious attachment remains encrypted and is retrieved via HTTPS, rendering it challenging to identify explicit indicators of compromise. However, a potential implicit indicator lies in the size of the downloaded data, which typically amounts to approximately 242 Kb. This unique characteristic can assist in identifying potential instances of compromise on iOS devices.
Exploiting Undisclosed Vulnerabilities: The Role of iMessage
The exploit leverages undisclosed vulnerabilities in iMessage, utilizing it as a delivery channel for initiating code execution on iOS devices. This grants the attacker the ability to retrieve additional stages from their server, potentially including exploits for privilege escalation.
Protective Measures: Identifying C&C Domains
To aid security administrators in detecting signs of exploitation on their devices, Kaspersky has compiled a comprehensive list of 15 domains associated with this malicious activity. By cross-referencing these domains with historical DNS logs, administrators can effectively investigate any potential compromise indicators.
The Command and Control (C&C) Domains:
- addatamarket[.]net
- backuprabbit[.]com
- businessvideonews[.]com
- cloudsponcer[.]com
- datamarketplace[.]net
- mobilegamerstats[.]com
- snoweeanalytics[.]com
- tagclick-cdn[.]com
- topographyupdates[.]com
- unlimitedteacup[.]com
- virtuallaughing[.]com
- web-trackers[.]com
- growthtransport[.]com
- anstv[.]net
- ans7tv[.]net
Conclusion
The recent report by Kaspersky sheds light on the alarming compromise of iPhones through zero-click exploits, exposing the gravity of the ongoing threat. Operation Triangulation, the campaign responsible for these attacks, continues to jeopardize the security and privacy of iOS users.
By employing advanced analysis techniques, such as the Mobile Verification Toolkit, security experts can gain valuable insights into the attack process and devise effective countermeasures.
It is crucial for individuals with relevant information to collaborate with cybersecurity firms like Kaspersky to collectively combat this menace and safeguard the iOS ecosystem.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
