A hardware feature present in an Apple system-on-a-chip (SoC) was abused to successfully bypass protections and take over devices in attacks targeting the iPhones of dozens of Kaspersky senior employees earlier this year, the Russian cybersecurity vendor reports.
As part of the attacks, which are referred to as ‘Operation Triangulation’, multiple iOS zero-day vulnerabilities were exploited to execute code and install spyware on the target devices.
Dubbed TriangleDB, the spyware implant was designed to be as stealthy as possible, with the infection chain involving multiple checks and log-erasing actions to prevent the malware’s identification.
Apple released patches for three of the exploited vulnerabilities in June and July, noting that they could only be exploited in attacks against iOS versions before iOS 15.7.
Previously, Kaspersky explained that the attacks employed malicious iMessage attachments that would exploit a remote code execution (RCE) zero-day (tracked as CVE-2023-32434) and deploy TriangleDB without user interaction.
Two other zero-day flaws were also exploited as part of the infection chain, including an RCE issue in Apple-only ADJUST TrueType font instruction (CVE-2023-41990) and a bypass of hardware-based security protections (CVE-2023-38606).
The most interesting of these issues, Kaspersky notes in a technical write-up, is CVE-2023-38606, as it allowed the JavaScript exploit in Operation Triangulation to use “hardware memory-mapped I/O (MMIO) registers to bypass the Page Protection Layer (PPL)”.
“If we try to describe this feature and how the attackers took advantage of it, it all comes down to this: they are able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware,” Kaspersky notes.
The exploited feature, the cybersecurity firm says, was likely intended for debugging purposes or might have been included by error, as it is undocumented and unknown.
The MMIO registers used in the attack do not belong to the known MMIO ranges of peripheral devices in Apple products that are defined and stored in the special file format called DeviceTree.
Kaspersky’s analysis of the exploit chain revealed that the targeted registers belonged to the GPU coprocessor, and that the attackers abused them to write to memory, bypass protections, and achieve RCE.
“This is no ordinary vulnerability, and we have many unanswered questions. We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight,” Kaspersky notes.
In June, on the same day that Kaspersky disclosed the iOS zero-click attacks, Russia’s Federal Security Service (FSB) blamed the US National Security Agency for a spy campaign targeting thousands of iOS devices.
Related: Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
Related: Spyware Caught Masquerading as Israeli Rocket Alert Applications
Related: Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks