A hardware feature present in an Apple system-on-a-chip (SoC) was recently exploited in a series of attacks targeting the iPhones of Kaspersky senior employees. These attacks successfully bypassed Apple’s protections and installed sophisticated spyware on the compromised devices, raising concerns about the vulnerabilities in the iOS ecosystem.
Exploitation of iOS Zero-Day Vulnerabilities
In a highly coordinated campaign, the attackers exploited multiple iOS zero-day vulnerabilities. Their main objective was to execute arbitrary code and install spyware on the targeted iPhones. These zero-day vulnerabilities, which were previously unknown and had no available patches, allowed the attackers to gain unauthorized access to the devices.
Introduction to TriangleDB Spyware Implant
The spyware implant used in these attacks, dubbed TriangleDB, was specifically designed to remain stealthy and undetectable. Its infection chain involved a series of checks and log-erasing actions, making it challenging to identify and remove the malware. TriangleDB effectively flew under the radar, enabling the attackers to maintain persistent access to the compromised iPhones.
Apple’s Response and Patch Deployment
Responding swiftly, Apple released patches to address three of the exploited vulnerabilities in June and July. Importantly, Apple stated that these vulnerabilities were only exploitable on iOS versions before iOS 15.7. While this brought some relief, it also highlighted the critical need for users to keep their devices updated with the latest security patches.
Details of the Attack Methodology
The initial attack vector involved the delivery of malicious iMessage attachments. These attachments contained a remote code execution (RCE) zero-day exploit that enabled the deployment of TriangleDB without any user interaction. The attackers leveraged the flaw to discreetly infiltrate the targeted iPhones.
Exploitation of Additional Zero-Day Flaws
In addition to the RCE zero-day, two other zero-day vulnerabilities were exploited in the infection chain. One of these vulnerabilities resided in the Apple-only ADJUST TrueType font instruction, paving the way for the attackers to bypass hardware-based security protections. The other zero-day flaw, CVE-2023-38606, held particular interest due to its exploitation of hardware memory-mapped I/O (MMIO) registers.
Focus on CVE-2023-38606
CVE-2023-38606 allowed attackers to exploit JavaScript and utilize hardware MMIO registers to bypass the Page Protection Layer (PPL), a crucial security measure. Importantly, the MMIO registers used in the attack did not belong to the known MMIO ranges of peripheral devices in Apple products, as defined and stored in the DeviceTree file format. This raised questions about the purpose and origin of this unknown hardware feature.
Identification of the MMIO Registers’ Origin
Further analysis by Kaspersky revealed that the targeted MMIO registers belonged to the GPU coprocessor. By abusing these registers, the attackers gained the ability to write to memory, bypass existing security protections, and achieve remote code execution (RCE). The involvement of the GPU coprocessor added an intriguing layer of sophistication to the attack.
Abusing the GPU Coprocessor to Achieve Remote Code Execution (RCE)
Exploiting the GPU coprocessor’s registers allowed the attackers to execute code and manipulate memory, providing them with a pathway to take control of the compromised iPhones. By leveraging this previously unknown hardware feature, the attackers bypassed Apple’s defenses and successfully achieved their objective of installing TriangleDB and carrying out reconnaissance on the targeted victims.
Unanswered Questions Regarding the Unknown Hardware Feature
The discovery of this unknown hardware feature raises numerous unanswered questions. Its purpose, origin, and potential implications remain poorly understood. This abnormal vulnerability has prompted further investigation by security researchers and Apple to comprehend its inner workings and determine the necessary remediation measures.
The sophisticated attacks targeting Kaspersky senior employees’ iPhones revealed the abuse of a hardware feature inherent in Apple’s SoC. By exploiting multiple iOS zero-day vulnerabilities and utilizing the GPU coprocessor’s registers, the attackers successfully bypassed protections, installed spyware, and gained control over the compromised devices. This incident underscores the importance of continuous vigilance and regularly updating devices with security patches to mitigate the risks posed by emerging threats in the ever-evolving landscape of mobile security.