Apple patched three new zero-day vulnerabilities exploited in attacks installing triangulation spyware on iPhones via no-click iMessage exploits.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released prior to iOS 15.7,” the company says, describing the tracked kernel and WebKit vulnerabilities as CVE-2023-32434 And CVE-2023-32435.
Both security flaws were discovered and reported by Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin.
“The implant, which we have dubbed TriangleDB, is deployed after attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, which means that all traces of the implant are lost when the device is restarted.” Kaspersky said today.
“So if the victim restarts their device, the attackers have to re-infect it by sending an iMessage with a malicious attachment, thus restarting the entire exploit chain. If not restarted, the implant uninstalls after 30 days, unless this period is extended by the attackers.”
Used by US state hackers according to FSB claims
The attacks began in 2019 and are still ongoing, according to Kaspersky, which reported in early June that some iPhones in its network were infected with previously unknown spyware via zero-click iMessage exploits that exploited zero-click iOS bugs. day.
Kaspersky told BleepingComputer that the attack affected its Moscow office and employees in other countries.
FSB Russian Intelligence and Security Agency also claimed after Kaspersky’s report was published, Apple provided the NSA with a backdoor to help infect iPhones in Russia with spyware.
The FSB claimed to have found thousands of infected iPhones belonging to Russian government officials and embassy staff in Israel, China and NATO member countries.
“We have never worked with a government to insert a backdoor into an Apple product and we never will,” an Apple spokesperson told BleepingComputer.
Apple today also fixed a zero-day vulnerability in WebKit (CVE-2023-32439) reported by an anonymous researcher that may allow attackers to achieve arbitrary code execution on unpatched devices by exploiting a type confusion issue.
The company tackled three zero days in macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2And watchOS 8.8.1 with improved controls, input validation, and state management.
The list of affected devices is quite extensive, as day zero affects both older and newer models, and includes:
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation) and iPod touch (7th generation)
- Mac running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7 and SE
Nine zero-days patched since the beginning of the year
Since the start of the year, Apple has patched a total of 9 zero-day vulnerabilities that have been exploited in the wild to compromise iPhones, Macs, and iPads.
Last month, the company set three additional zero days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), the first reported by researchers from the Google Threat Analysis Group and Amnesty International Security Lab and likely used to install commercial spyware.
In April, Apple fixed two more days zero (CVE-2023-28206 and CVE-2023-28205) that were deployed as part of zero-day and n-day exploit chains of Android, iOS and Chrome, and exploited to deploy mercenary spyware on devices belonging to high-risk targets worldwide.
In February, Apple has addressed another zero-day WebKit (CVE-2023-23529) exploited in attacks to achieve code execution on vulnerable iPhones, iPads, and Macs.