The most complex iPhone attack chain ever: Kaspersky releases details of Operation Triangulation

In June this year, cybersecurity firm Kaspersky released a public report stating that iPhones used by some of its employees were compromised. The attackers employed multiple sophisticated zero-click vulnerabilities, infecting iPhones and achieving persistent surveillance without any victim interaction.

This incident, dubbed “Operation Triangulation” by Kaspersky, was reported to Apple, leading to multiple updates in late June to patch the vulnerabilities.

However, the details of these vulnerabilities were not disclosed at the time, as iPhone updates take time, and researchers generally delay publishing details to prevent attackers from exploiting the vulnerabilities while some users have yet to upgrade.

Half a year after the vulnerabilities were published, Kaspersky researchers presented a detailed report and technical insights at the recent Chaos Communication Congress.

Kaspersky described the iMessage zero-click vulnerabilities exploited by the Israeli commercial spy software developer NSO Group’s Pegasus as one of the most technically complex. The Triangulation attack appears to be on the same terrifying level.

Here is Kaspersky’s complete attack chain, including four 0day vulnerabilities used to obtain root access on victim devices:

1. Attackers send a malicious iMessage attachment to the target user. When the victim’s iPhone receives the message, iMessage processes the attachment automatically without any alerts.
2. This malicious attachment exploits an undocumented remote code execution vulnerability in Apple’s unique ADJUST TrueType font instruction, CVE-2023-41990.
3. The malicious code uses return/jump oriented programming and multi-staged NSExpression/NSPredicate query language, then exploits the JavaScriptCore library environment for privilege escalation.
4. The JavaScript vulnerability used by the attackers is obfuscated, making the code unreadable. Despite this, researchers found the attackers used about 11,000 lines of code, mainly for JavaScriptCore and memory parsing operations.
5. Attackers utilize JavaScriptCore debugging functionality, DollarVM ($vm), to gain the ability to manipulate JavaScriptCore memory and execute native APIs from the script.
6. To support both new and old iPhones, the attackers developed a bypass function containing pointer authentication code that can be used on the latest iPhones.
7. Attackers exploit an integer overflow vulnerability in the XNU memory mapping system, CVE-2023-32434, to gain user-level read/write access to the entire physical memory of the device.
8. Attackers use hardware memory-mapped I/O registers to bypass page protection layers, a problem mitigated by CVE-2023-38606.
9. After exploiting all vulnerabilities, the JavaScript vulnerability can perform any operation on the device, including running spyware, but the attackers choose to:
   1. a. Launch the IMAgent process and inject a payload to clear exploit traces in the device.
   2. b. Run the Safari process in invisible mode and forward it to a webpage used in the next attack stage.
10. This webpage contains a script to verify the victim, and if successful, moves to the next stage: Safari exploit.
11. The Safari exploit, CVE-2023-32435, is used to execute the shellcode.
12. The shellcode executes another kernel exploit in the form of a Mach object file, using the same vulnerabilities: CVE-2023-32434 and CVE-2023-38606. This kernel exploit, written in JavaScript, is entirely different but also used for memory parsing operations, although not much used in the later stages.
13. This exploit gains root access and continues to execute other stages, including loading spyware.

Kaspersky states that the attackers reverse-engineered almost every aspect of the attack chain, indicating that the attackers’ goals are not ordinary, possibly involving espionage and political purposes.

In 2024, the Kaspersky team plans to publish more articles on the Triangulation attack. Interested readers are encouraged to refer to the original Kaspersky report for a detailed analysis of each vulnerability.