You must be registered for see links
spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company.Russian cybersecurity firm Kaspersky, which
You must be registered for see links
the
You must be registered for see links
at the beginning of 2023 after becoming one of the targets,
You must be registered for see links
it as the "most sophisticated attack chain" it has ever observed to date. The campaign is believed to have been active since 2019.The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information.
The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specifically, it involves the weaponization of the following vulnerabilities -
- CVE-2023-41990 - A flaw in the FontParser component that could lead to arbitrary code execution when processing a specially crafted font file, which is sent via iMessage. (Addressed in
You must be registered for see linksandYou must be registered for see links)
-
You must be registered for see links- An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. (Addressed in iOS 15.7.7, iOS 15.8, and iOS 16.5.1 )
-
You must be registered for see links- A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. (Addressed in iOS 15.7.7 and iOS 16.5.1)
-
You must be registered for see links- An issue in the kernel that permits a malicious app to modify sensitive kernel state. (Addressed in iOS 16.6)
You must be registered for see links
to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign.This also brings the tally of the
You must be registered for see links
resolved by Apple since the start of the year to 20.Of the four vulnerabilities, CVE-2023-38606 deserves a special mention as it facilitates a bypass of hardware-based security protection for sensitive regions of the kernel memory by leveraging memory-mapped I/O (
You must be registered for see links
) registers, a feature that was never known or documented until now.The exploit, in particular, targets Apple A12-A16 Bionic SoCs, singling out unknown MMIO blocks of registers that belong to the GPU coprocessor. It's currently not known how the mysterious threat actors behind the operation learned about its existence. Also unclear is whether it was developed by Apple or it's a third-party component like ARM CoreSight.
To put it in another way, CVE-2023-38606 is the crucial link in the exploit chain that's closely intertwined with the success of the Operation Triangulation campaign, given the fact that it permits the threat actor to gain total control of the compromised system.
"Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake," security researcher Boris Larin said. "Because this feature is not used by the firmware, we have no idea how attackers would know how to use it."
"Hardware security very often relies on 'security through obscurity,' and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on "security through obscurity" can never be truly secure."
The development comes as the Washington Post
You must be registered for see links
that Apple's warnings in
You must be registered for see links
about Indian journalists and opposition politicians may have been targeted by state-sponsored spyware attacks prompted the government to question the veracity of the claims and describe them as a case of "algorithmic malfunction" within the tech giant's systems.In addition, senior administration officials demanded that the company soften the political impact of the
You must be registered for see links
and pressed the company to provide alternative explanations as to why the warnings may have been sent. So far, India has neither confirmed nor denied using spyware such as those by NSO Group's Pegasus.Citing people with knowledge of the matter, the Washington Post noted that "Indian officials asked Apple to withdraw the warnings and say it had made a mistake," and that "Apple India's corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Apple's warnings could be false alarms" to shift the spotlight away from the government.
From:
You must be registered for see links
