• United States



Shweta Sharma
Senior Writer

Apple patches exploits used in spy campaign ‘Operation Triangulation’

Jun 22, 20233 mins

Apple has released fixes for both the new and the affected versions of iOS.

Mujer con las Vision Pro de Apple
Credit: Apple

Apple has shipped patches for the remote code execution (RCE) vulnerabilities in iOS that have already been exploited in the wild under the digital spy campaign, dubbed Operation Triangulation.

The campaign used two zero-click iMessage exploits and compromises without any user interactions based on a pair of bugs respectively in the kernel and Webkit.

Apple has attributed the discovery of these vulnerabilities to Kaspersky Lab just two weeks after the Russian cybersecurity firm reported discovering an advanced persistent threat (APT) actor launching zero-click iMessage exploits on Russian iOS devices.

Apple characterized the exploited vulnerabilities as problems related to memory corruption within the kernel (CVE-2023-32434), which enables an application to execute arbitrary code with kernel privileges, and an issue identified in WebKit (CVE-2023-32435), which allows code execution through web content.

To address these issues the company has rolled out patches in the latest updates of its operating systems iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, and iPadOS 15.7.7.

The fixes have been released both for the latest version (iOS 16.5.1) and the original vulnerable version (before iOS 15.7). Apple noted that the attacks have only been seen on devices running iOS versions older than iOS 15.7.

Other than iPhones and iPads, patches for macOS and watchOS were also released.

Exploits linked to alleged US Spy Campaign

Earlier this month, Kaspersky reported the APT attack, codenamed Operation Triangulation, using zero-click iMessage exploits on its corporate iOS devices.

The disclosure came on the same day Russia's Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign that allegedly targeted a huge number of iOS devices belonging to foreign diplomats as well as domestic users.

An Apple spokesperson denied the company’s involvement in the campaign in a SecurityWeek article, saying, "We have never worked with any government to insert a backdoor into any Apple product and never will."

Kaspersky found spyware running REGEX matches

The spyware used in Operation Triangulation, according to Kaspersky, targeted iPhones via iMessages with a malicious attachment that carried an exploit for an RCE vulnerability.

The code used in the exploit additionally downloads extra elements to acquire root privileges on the targeted device. Once achieved, a spyware implant named TriangleDB, as identified by Kaspersky, is deployed in the device's memory, and the initial iMessage is erased.

The implant lacks a persistence mechanism, meaning that if the targeted device is restarted, the entire chain of exploitation must be initiated again to re-infect the device.

"If no reboot occurs, the implant will automatically uninstall itself after 30 days, unless the attackers extend this period," Kaspersky added.

The spyware monitored the infected device for folder changes with names matching specified regular expressions and exfiltrated queued matches. Identified artifacts suggested the threat actor might also be targeting macOS devices with a similar implant, Kaspersky said.