Home / Threat Intelligence bulletins / Apple fixes iMessage zero-days that allowed Triangulation spyware to be distributed

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Three zero-day vulnerabilities that Apple has publicly published may already have been used in the wild as of the time of writing. The following are the security issues that are all related to the WebKit browser engine:

The implant, which was called TriangleDB, is introduced after the attackers successfully use a kernel vulnerability to gain root access to the target iOS device. Because it is deployed in memory, when the device reboots, there are no longer any signs of the implant. Therefore, whenever the victim reboots their smartphone, the attackers must re-start the exploitation chain by sending an iMessage with a malicious attachment. The implant uninstalls itself after 30 days if there is no reboot unless the attackers extend this time frame.

Impact

  • CVE-2023-32434: an integer overflow vulnerability in the kernel, to execute arbitrary code with kernel privileges. An integer overflow vulnerability in the kernel could give a threat actor access to the targeted system without authorisation and allow them to carry out a variety of damaging activities. These consist of Privilege escalation, System compromise, Information theft, Denial of Service (DoS), Expanding the attack surface and Maintaining persistence.
  • CVE-2023-32435 and CVE-2023-32439: During the processing of specifically prepared web content, the WebKit vulnerability could result in arbitrary code execution. A threat actor can run their own code on the targeted system with the privileges of the affected process if they are successful in exploiting arbitrary code execution. Since it gives the attacker extensive control over the compromised system, this kind of vulnerability could have severe consequences.

Vulnerability Detection

Apple has released security updates with regards to these vulnerabilities. As such, previous versions are vulnerable to potential exploit.

Affected Products

  • iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
  • iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
  • Macs running macOS Big Sur, Monterey, and Ventura
  • Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE

Containment, Mitigations & Remediations

It is strongly recommended that Apple users apply the relevant product updates as soon as possible. The vulnerabilities were addressed in the following updates:

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Apple controls a substantial percentage of the PC and smart device markets. Apple devices have become a top target because threat actors often use a combination of probability and asset value to decide which attack surfaces to concentrate on. Threat actors will continue to seek to attack vulnerabilities present in these systems to obtain the confidential information they hold because PCs and smart devices have integrated into both personal and commercial activities.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

TA0002 – Execution

Further Information

Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari