Kaspersky dishes dirt on 'Operation Triangulation' attacks
Kaspersky has provided new details on how attackers were able to exploit a little-known debugging tool to work around iOS security features
Researchers with security vendor Kaspersky are shedding new light on an iOS attack they believe to be among the 'most sophisticated' ever spotted in the wild.
Known to the researchers as 'Operation Triangulation', the iOS malware attack was first uncovered last Summer and its associated vulnerabilities were eventually addressed in a series of iOS firmware updates.
Since then, the Kaspersky team has dissected the malware and its associated exploits and, in a recent presentation, explained the inner workings of what they say is an unprecedented package of exploits and attack tools.
The attack was never attributed to any specific party, though Kaspersky provided the details to Russia's FSB who not so subtly suggested that it was the working of intelligence agencies affiliated with NATO.
"We discover and analyze new exploits and attacks using these on a daily basis," the researchers write.
"We have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is definitely the most sophisticated attack chain we have ever seen."
The attack, say researchers, relied on a series of vulnerabilities but most notably CVE-2023-38606. That flaw, addressed in iOS 16.6, allowed an attacker to access specific kernel memory addresses that would have otherwise been locked away by CPU hardware protections.
A successful exploit allows the attacker to gain complete control over a vulnerable iOS device. Researchers believe that the vulnerability was in fact a relic of a debugging tool that was not fully removed from production hardware.
What stood out to the Kaspersky team was just how obscure the abused debugging features were. With no documentation or instructions, an attacker would have had to look long and hard to find the memory access registers.
"We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was," explained researcher Boris Larin.
"Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight."
For the Kaspersky team, the takeaway for developers is to pay special attention to removing debug tools and backdoor access before code hits production. Even if a feature is undocumented and largely forgotten, it has the potential to be used in an exploit.
"Hardware security very often relies on “security through obscurity”, and it is much more difficult to reverse-engineer than software," noted Larin.
"But this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on 'security through obscurity' can never be truly secure."