Exploiting Apple SoC Hardware Feature: The Intricate Attacks on Kaspersky Employees’ iPhones

A hardware feature present in an Apple system-on-a-chip (SoC) was recently exploited in a series of attacks targeting the iPhones of Kaspersky senior employees. These attacks successfully bypassed Apple’s protections and installed sophisticated spyware on the compromised devices, raising concerns about the vulnerabilities in the iOS ecosystem.

Exploitation of iOS Zero-Day Vulnerabilities

In a highly coordinated campaign, the attackers exploited multiple iOS zero-day vulnerabilities. Their main objective was to execute arbitrary code and install spyware on the targeted iPhones. These zero-day vulnerabilities, which were previously unknown and had no available patches, allowed the attackers to gain unauthorized access to the devices.

Introduction to TriangleDB Spyware Implant

The spyware implant used in these attacks, dubbed TriangleDB, was specifically designed to remain stealthy and undetectable. Its infection chain involved a series of checks and log-erasing actions, making it challenging to identify and remove the malware. TriangleDB effectively flew under the radar, enabling the attackers to maintain persistent access to the compromised iPhones.

Apple’s Response and Patch Deployment

Responding swiftly, Apple released patches to address three of the exploited vulnerabilities in June and July. Importantly, Apple stated that these vulnerabilities were only exploitable on iOS versions before iOS 15.7. While this brought some relief, it also highlighted the critical need for users to keep their devices updated with the latest security patches.

Details of the Attack Methodology

The initial attack vector involved the delivery of malicious iMessage attachments. These attachments contained a remote code execution (RCE) zero-day exploit that enabled the deployment of TriangleDB without any user interaction. The attackers leveraged the flaw to discreetly infiltrate the targeted iPhones.

Exploitation of Additional Zero-Day Flaws

In addition to the RCE zero-day, two other zero-day vulnerabilities were exploited in the infection chain. One of these vulnerabilities resided in the Apple-only ADJUST TrueType font instruction, paving the way for the attackers to bypass hardware-based security protections. The other zero-day flaw, CVE-2023-38606, held particular interest due to its exploitation of hardware memory-mapped I/O (MMIO) registers.

Focus on CVE-2023-38606

CVE-2023-38606 allowed attackers to exploit JavaScript and utilize hardware MMIO registers to bypass the Page Protection Layer (PPL), a crucial security measure. Importantly, the MMIO registers used in the attack did not belong to the known MMIO ranges of peripheral devices in Apple products, as defined and stored in the DeviceTree file format. This raised questions about the purpose and origin of this unknown hardware feature.

Identification of the MMIO Registers’ Origin

Further analysis by Kaspersky revealed that the targeted MMIO registers belonged to the GPU coprocessor. By abusing these registers, the attackers gained the ability to write to memory, bypass existing security protections, and achieve remote code execution (RCE). The involvement of the GPU coprocessor added an intriguing layer of sophistication to the attack.

Abusing the GPU Coprocessor to Achieve Remote Code Execution (RCE)

Exploiting the GPU coprocessor’s registers allowed the attackers to execute code and manipulate memory, providing them with a pathway to take control of the compromised iPhones. By leveraging this previously unknown hardware feature, the attackers bypassed Apple’s defenses and successfully achieved their objective of installing TriangleDB and carrying out reconnaissance on the targeted victims.

Unanswered Questions Regarding the Unknown Hardware Feature

The discovery of this unknown hardware feature raises numerous unanswered questions. Its purpose, origin, and potential implications remain poorly understood. This abnormal vulnerability has prompted further investigation by security researchers and Apple to comprehend its inner workings and determine the necessary remediation measures.

The sophisticated attacks targeting Kaspersky senior employees’ iPhones revealed the abuse of a hardware feature inherent in Apple’s SoC. By exploiting multiple iOS zero-day vulnerabilities and utilizing the GPU coprocessor’s registers, the attackers successfully bypassed protections, installed spyware, and gained control over the compromised devices. This incident underscores the importance of continuous vigilance and regularly updating devices with security patches to mitigate the risks posed by emerging threats in the ever-evolving landscape of mobile security.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.