According to Kaspersky, this is an ongoing investigation, and the perpetrators are yet to be determined.
The CEO of cybersecurity giant and antivirus vendor Kaspersky, Eugene Kaspersky, revealed in a blog post that dozens of iPhones used by their senior employees contained spyware capable of recording audio, capturing images from messaging apps, geolocation, and more.
The company noted that iOS devices on its WiFi network had become targets of threat actors who launched zero-day exploits as part of Operation Triangulation. The researchers discovered the oldest traces of infection in 2019, and it is believed that the attack is still active.
How Was the Activity Discovered?
Kaspersky researchers noted suspicious activity on several iPhones while monitoring network traffic for mobile devices on their corporate WiFi network through the KUMA (Kaspersky Unified Monitoring and Analysis) platform.
To investigate further, they created offline backups of these devices since they couldn’t inspect them from the inside and discovered an infection using the Mobile Verification Toolkit’s mvt-ios. This utility provides information about the sequence of events, allowing researchers to recreate the incident.
The attack begins with iOS phone users receiving an iMessage with an attachment that contains the exploit. Upon clicking, it triggers a vulnerability that leads to code execution without involving user input, making it a zero-click attack.
The malicious code downloads new payloads after connecting with the C2 server, which can include privilege escalation exploits. The final payload is a feature-rich APT platform.
“The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server,” the researchers wrote in their blog post.
Various Vulnerabilities Used to Get Deeper Access
Multiple vulnerabilities are combined to allow attackers deeper access to the compromised device. Once the final payload is downloaded, the message and the malicious attachments initiate self-deletion. The malware cannot maintain persistence if the device is rebooted, but researchers observed reinfection in some samples.
The exact nature of the bugs used in this attack chain is unclear, but one of the flaws could be the kernel extension vulnerability (CVE-2022-46690) patched by Apple in December 2022.
Kaspersky’s findings were published the same day the Russian security services released a statement blaming the US for exploiting Apple devices to launch reconnaissance operations.
“Several thousand telephone sets of this brand were infected….. In addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR, and China, were revealed,” Russian intelligence claimed.
However, Apple’s spokesperson refuted these allegations, stating that none of their products have ever contained a backdoor, and Apple would never collaborate with governments.
Regarding Kaspersky’s report, Apple stated that the issue was detected in some versions of iPhones (iOS version 15.7 and below), whereas currently, iOS devices run version 16.5.
Patrick Wardle, an iOS and macOS security researcher, told Wired that Kaspersky remained hacked by an iOS zero-day exploit for five years, and the issue has been discovered now, indicating that it is pretty challenging to detect zero-day exploits.
Kaspersky noted that this difficulty is caused by iOS’s locked-down design, making it tough to inspect iOS’s activities. This is an ongoing investigation, and the perpetrators are yet to be determined. Stay tuned for an update…