2025 Mar 14, 10:09
Researchers have unveiled new findings regarding a sophisticated attack that targeted iPhones over a four-year period. The attack, which backdoored numerous devices, affected employees of Moscow-based security firm Kaspersky, as well as individuals working in diplomatic missions and embassies in Russia. The unknown attackers exploited a vulnerability in an undisclosed hardware feature, revealing an unprecedented level of access. Kaspersky researcher Boris Larin emphasized the attackers' advanced technical capabilities, although the origin of their knowledge remains uncertain
WhetheR accidental disclosures or reverse engineering played a role remains to be determined. Key questions about the hardware feature's purpose and its native or third-party origins also remain unanswered. Kaspersky conducted an intensive year-long investigation but is still unsure about various aspects of the attack. The malware-infected iPhones through iMessage texts, conveying spyware that transmitted sensitive data to attacker-controlled servers
This campaign stayed under the radar by delivering new malicious messages after a device reboot. Kaspersky revealed that the malware, called "Triangulation," exploited four zero-day vulnerabilities. These critical flaws permitted the unknown attackers to gain control of Apple devices, including Macs, iPods, iPads, Apple TVs, and Apple Watches. The exploits specifically targeted and affected these platforms
Detecting infections proved to be immensely challenging, even for experts. Despite this, Kaspersky offered indicators of compromise to aid in detection. The most intriguing aspect of the attack was the exploitation of the undisclosed hardware feature, which significantly contributed to the success of Operation Triangulation. By exploiting a zero-day vulnerability in this feature, the attackers bypassed hardware-based memory protections, enabling tampering with the underlying kernel's memory
Apple's advanced protection measures prevented key post-exploitation techniques, such as code injection or kernel modification, but this defense was overcome by exploiting the secret function. Even devices with Apple's advanced protection, including those equipped with M1 and M2 CPUs, were affected. Kaspersky researchers discovered the secret hardware function after extensive reverse engineering of infected devices. Attention was drawn to hardware registers, which facilitate CPU interaction with peripheral components like USBs and memory controllers
Memory-mapped Input/Outputs (MMIOs) enable writing to specific hardware registers. The researchers noted that certain MMIO addresses used by the attackers were absent in device tree descriptions, making them difficult to identify. Despite exhaustive searches, the MMIO addresses were not found in source codes, kernel images, or firmware.