Kaspersky researchers have uncovered an ongoing mobile Advanced Persistent Threat (APT) campaign targeting iOS devices (iPhone users) with previously unknown malware.
Dubbed as ‘Operation Triangulation’, the campaign distributes zero-click exploits via iMessage to run malware gaining complete control over the device and user data, with the final goal to hiddenly spy on users.
The new mobile APT campaign was uncovered while monitoring the network traffic of its corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).
Upon further analysis, company researchers discovered the threat actor has been targeting iOS devices of dozens of company employees.
The investigation of the attack technique is still ongoing, but so far Kaspersky researchers were able to identify the general infection sequence.
The victim received a message via iMessage with an attachment containing a zero-click exploit.
Without any further interaction, the message triggered a vulnerability that led to code execution for privilege escalation and provided full control over the infected device.
Once the attacker successfully established its presence in the device, the message was automatically deleted.
Further, the spyware quietly transmitted private information to remote servers: including microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.
During the analysis, it was confirmed that there was no impact on the company’s products, technologies and services, and no Kaspersky customer user data or critical company processes were affected.
The attackers could only access data stored on the infected devices.
Although not certain, it is believed that the attack was not targeted specifically at Kaspersky – the company’s just first to discover it. The following days will likely bring more clarity about the global exposure of this cyberattack.
“When it comes to cybersecurity, even the most secure operating systems can be compromised. As APT actors are constantly evolving their tactics and searching for new weaknesses to exploit, businesses must prioritise security of their systems. This involves prioritising employee education and awareness, and providing them with the latest threat intelligence and tools to effectively recognise and defend against potential threats,” said Igor Kuznetsov, head of the EEMEA unit at Kaspersky Global Research and Analysis Team (GReAT).
What we know so far
Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases.
The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to the device. The mvt-ios utility produces a sorted timeline of events into a file called “timeline.csv”, similar to a super-timeline used by conventional digital forensic tools.
Using this timeline, we were able to identify specific artifacts that indicate the compromise. This allowed to move the research forward, and to reconstruct the general infection sequence:
- The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.
- Without any user interaction, the message triggers a vulnerability that leads to code execution.
- The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation.
- After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.
- The initial message and the exploit in the attachment is deleted
The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting.
The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.
The analysis of the final payload is not finished yet.
The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.
“Our investigation of the Triangulation operation continues. We expect further details on it to be shared soon, as there can be targets of this spy operation outside Kaspersky.” he added
To check if your iOS device is infected or not, follow instructions on Securelist.
How to Avoid the Malware
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- For endpoint level detection, investigation, and timely remediation of incidents, use a reliable security solution for businesses, like Kaspersky Unified Monitoring and Analysis Platform (KUMA).
- Update Microsoft Windows OS and other third-party software as soon as possible and do so regularly
- Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence (https://apo-opa.info/43V1DnQ) is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training (https://apo-opa.info/45J0iRN) developed by GReAT experts.
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform (https://apo-opa.info/3X1m0wN)