Operation Triangulation attacks relied on an undocumented hardware feature

Operation Triangulation attacks relied on an undocumented hardware feature

Experts discovered that Operation Triangulation targeting Apple iOS devices leveraged an undocumented hardware feature.

Researchers from the Russian cybersecurity firm Kaspersky discovered that threat actors behind the Operation Triangulation exploited an undocumented hardware feature to target Apple iOS devices.

In early June, Kaspersky uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

The experts discovered the attack while monitoring the network traffic of their own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.

The attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).

Shortly after Kaspersky’s disclosure, Russia’s FSB accused the US intelligence for the attacks against the iPhones. According to Russian intelligence, thousands of iOS devices belonging to domestic subscribers and diplomatic missions and embassies have been targeted as part of Operation Triangulation.

The operations aimed at gathering intelligence from diplomats from NATO countries, Israel, China and Syria.

FSB believes that Apple supported US intelligence in this cyberespionage campaign.

Kaspersky initially reported that the exploit used in the attack downloads multiple subsequent stages from the C2 server, including additional exploits for privilege escalation. The final payload is downloaded from the same C2 and is described by Kaspersky as a fully-featured APT platform.

Then the initial message and the exploit in the attachment are deleted.

The researchers noticed that the malicious toolset does not support persistence, likely due to the limitations of the OS. The devices may have been reinfected after rebooting. 

The attack successfully targeted iOS 15.7, the analysis of the final payload has yet to be finished. The malicious code runs with root privileges, it supports a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C2 server.

In June, Kaspersky announced that after a six-month-long investigation, they completed the collection of all the components of the attack chain and the analysis of the spyware implant, tracked as TriangleDB.

The attackers exploit the implant kernel vulnerability to obtain root privileges on the target iOS device and install the implant. The spyware is directly deployed in memory, but if the victim reboots the device the malware doesn’t persist. In any case, the implant uninstalls itself after 30 days if the system is not rebooted. However, attackers can extend this period.

On December 27, 2023, Boris Larin, Leonid Bezvershenko, and Georgy Kucherin delivered a presentation, titled, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held Hamburg. The researchers presented the results of their investigation into Operation Triangulation conducted with their colleagues, Igor Kuznetsov, Valentin Pashkov, and Mikhail Vinogradov.

The attack chain relied on the exploitation of four zero-day vulnerabilities that impacted iOS versions up to iOS 16.2. The threat actors send a specially crafted iMessage attachment, which is processed by the application without showing any signs to the user.

“This attachment exploits the remote code execution vulnerability CVE-2023-41990 in the undocumented, Apple-only ADJUST TrueType font instruction. This instruction had existed since the early nineties before a patch removed it.” reads the analysis published by Kaspersky.

The attackers also exploited an integer overflow vulnerability, tracked as CVE-2023-32434, in XNU’s memory mapping syscalls (mach_make_memory_entry and vm_map) to obtain read/write access to the entire physical memory of the device at user level.

The attackers also exploited CVE-2023-38606 to bypass the Page Protection Layer (PPL).

The Safari exploit uses CVE-2023-32435 to execute a shellcode. The experts noticed that the shellcode executes another kernel exploit in the form of a Mach object file. The shellcode uses the same vulnerabilities, CVE-2023-32434 and CVE-2023-38606.

The researchers explained that recent iPhone models support additional hardware-based security protection for sensitive areas of the kernel memory. The security feature protection prevents attackers from taking over the device by controlling the kernel memory by exploiting the flaw CVE-2023-32434. Kaspersky discovered that to bypass this hardware-based security protection, threat actors abused a hardware feature of Apple-designed SoCs.

“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake. Because this feature is not used by the firmware, we have no idea how attackers would know how to use it” continues the experts.

Numerous peripheral devices within the SoC relies dedicated hardware registers for CPU operations. These registers are linked to CPU-accessible memory (“memory-mapped I/O (MMIO)).”

The experts pointed out that address ranges for MMIOs of peripheral devices in Apple products (including iPhones, Macs, and others) are stored in a specific file format called DeviceTree.

The analysis of the exploit used in the Operation Triangulation attack revealed that most of the MMIOs used by the threat actors do not belong to any MMIO ranges defined in the device tree. The exploit specifically targets Apple A12–A16 Bionic SoCs, targeting unknown MMIO blocks of registers.

“This is no ordinary vulnerability, and we have many unanswered questions. We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight.” concludes the report. “What we do know—and what this vulnerability demonstrates—is that advanced hardware-based protections are useless in the face of a sophisticated attacker as long as there are hardware features that can bypass those protections.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, German hospital network)