A new disclosure by Kaspersky's Global Research and Analysis Team (GReAT) has revealed a previously unknown hardware feature in Apple iPhones that has played a crucial role in the advanced persistent threat (APT) campaign, dubbed 'Operation Triangulation'.
According to the Global Research and Analysis Team, the vulnerability was uncovered within Apple's system on a chip (SoC) and enabled threat actors to circumvent hardware-based memory protection, effectively hijacking iPhones and gaining full control over the devices.
A hardware feature likely purposed for testing or debugging allowed for this breach of the iPhone's memory protections. During the first non-interactive iMessage attack and subsequent privilege escalation, Kspersky says threat actors utilised this hardware feature to manipulate the contents of protected memory regions, gaining complete control over iOS devices, including those running versions up to iOS 16.6. The feature was not publicly documented, making its detection and analysis a significant challenge using standard cybersecurity methods.
"This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, necessitating an in-depth comprehension of both hardware and software architectures," remarked Boris Larin, Principal Security Researcher at Kaspersky's GReAT.
"The discovery underscores the fact that even superior hardware-based protections can be circumvented by a sophisticated attacker, especially when there are hardware features that facilitate bypassing such protections," he says.
The APT campaign, Operation Triangulation, which was unearthed by Kaspersky earlier this summer, targets iOS devices. This highly intricate campaign leverages zero-click exploits circulated via iMessage, allowing attackers to gain full control over the targeted device and access user data. In response to this threat, Apple released security updates to address four zero-day threats identified by Kaspersky's researchers. Kaspersky also alerted Apple about the misuse of the hardware feature, which led to Apple addressing this vulnerability.
To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
Update your operating system, applications, and antivirus software regularly to patch any known vulnerabilities. Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the companys TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years. Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response. Investigate alerts and threats identified by security controls with Kaspersky's Incident Response and Digital Forensics services to gain deeper insights.