Exploiting Apple SoC Hardware Feature: The Intricate Attacks on Kaspersky Employees’ iPhones

A hardware feature present in an Apple system-on-a-chip (SoC) was recently exploited in a series of attacks targeting the iPhones of Kaspersky senior employees. These attacks successfully bypassed Apple’s protections and installed sophisticated spyware on the compromised devices, raising concerns about the vulnerabilities in the iOS ecosystem.

Exploitation of iOS Zero-Day Vulnerabilities

In a highly coordinated campaign, the attackers exploited multiple iOS zero-day vulnerabilities. Their main objective was to execute arbitrary code and install spyware on the targeted iPhones. These zero-day vulnerabilities, which were previously unknown and had no available patches, allowed the attackers to gain unauthorized access to the devices.

Introduction to TriangleDB Spyware Implant

The spyware implant used in these attacks, dubbed TriangleDB, was specifically designed to remain stealthy and undetectable. Its infection chain involved a series of checks and log-erasing actions, making it challenging to identify and remove the malware. TriangleDB effectively flew under the radar, enabling the attackers to maintain persistent access to the compromised iPhones.

Apple’s Response and Patch Deployment

Responding swiftly, Apple released patches to address three of the exploited vulnerabilities in June and July. Importantly, Apple stated that these vulnerabilities were only exploitable on iOS versions before iOS 15.7. While this brought some relief, it also highlighted the critical need for users to keep their devices updated with the latest security patches.

Details of the Attack Methodology

The initial attack vector involved the delivery of malicious iMessage attachments. These attachments contained a remote code execution (RCE) zero-day exploit that enabled the deployment of TriangleDB without any user interaction. The attackers leveraged the flaw to discreetly infiltrate the targeted iPhones.

Exploitation of Additional Zero-Day Flaws

In addition to the RCE zero-day, two other zero-day vulnerabilities were exploited in the infection chain. One of these vulnerabilities resided in the Apple-only ADJUST TrueType font instruction, paving the way for the attackers to bypass hardware-based security protections. The other zero-day flaw, CVE-2023-38606, held particular interest due to its exploitation of hardware memory-mapped I/O (MMIO) registers.

Focus on CVE-2023-38606

CVE-2023-38606 allowed attackers to exploit JavaScript and utilize hardware MMIO registers to bypass the Page Protection Layer (PPL), a crucial security measure. Importantly, the MMIO registers used in the attack did not belong to the known MMIO ranges of peripheral devices in Apple products, as defined and stored in the DeviceTree file format. This raised questions about the purpose and origin of this unknown hardware feature.

Identification of the MMIO Registers’ Origin

Further analysis by Kaspersky revealed that the targeted MMIO registers belonged to the GPU coprocessor. By abusing these registers, the attackers gained the ability to write to memory, bypass existing security protections, and achieve remote code execution (RCE). The involvement of the GPU coprocessor added an intriguing layer of sophistication to the attack.

Abusing the GPU Coprocessor to Achieve Remote Code Execution (RCE)

Exploiting the GPU coprocessor’s registers allowed the attackers to execute code and manipulate memory, providing them with a pathway to take control of the compromised iPhones. By leveraging this previously unknown hardware feature, the attackers bypassed Apple’s defenses and successfully achieved their objective of installing TriangleDB and carrying out reconnaissance on the targeted victims.

Unanswered Questions Regarding the Unknown Hardware Feature

The discovery of this unknown hardware feature raises numerous unanswered questions. Its purpose, origin, and potential implications remain poorly understood. This abnormal vulnerability has prompted further investigation by security researchers and Apple to comprehend its inner workings and determine the necessary remediation measures.

The sophisticated attacks targeting Kaspersky senior employees’ iPhones revealed the abuse of a hardware feature inherent in Apple’s SoC. By exploiting multiple iOS zero-day vulnerabilities and utilizing the GPU coprocessor’s registers, the attackers successfully bypassed protections, installed spyware, and gained control over the compromised devices. This incident underscores the importance of continuous vigilance and regularly updating devices with security patches to mitigate the risks posed by emerging threats in the ever-evolving landscape of mobile security.

Explore more

Aflac Japan Data Breach Impacts 4.4 Million Customers

Dominic Jainy is a veteran in the tech space, navigating the complex intersection of cybersecurity and artificial intelligence. With years of experience protecting high-stakes data through machine learning and blockchain, he offers a unique vantage point on why even the biggest insurance titans remain vulnerable to sophisticated extortion groups. Today, we delve into the recent security catastrophe at Aflac Japan,

Power Availability Dictates EMEA Data Center Growth

The unrelenting expansion of high-performance computing and artificial intelligence workloads across the European, Middle Eastern, and African markets has transformed energy procurement into the primary competitive differentiator for infrastructure developers today. While geographic proximity to end-users remains a relevant factor, the sheer scale of current deployments necessitates a pivot toward regions where the electrical grid can support multi-hundred megawatt campuses

How Does ARToken Bypass Microsoft 365 MFA?

A typical office worker receives a routine notification from what appears to be a legitimate SharePoint site, asking for a quick verification code to view a shared document. This seemingly harmless request arrives as an alphanumeric code on a professional Microsoft page, inviting the user to “verify” an identity. Because the interaction occurs entirely within official Microsoft domains, the employee

Is Your Oracle EBS Data Safe From Active Cyber Attacks?

Introduction Enterprise resource planning systems serve as the digital backbone of global commerce, yet hundreds of these critical platforms currently sit exposed to predatory actors on the open internet. Recent data reveals that nearly 950 Oracle E-Business Suite instances are directly reachable via the web, bypassing traditional security perimeters. This exposure coincides with the active exploitation of vulnerabilities that grant

Trend Analysis: AsyncRAT DLL Sideloading Tactics

In the modern cybersecurity landscape, “trust” has become a weapon, as threat actors increasingly hide malicious payloads within the very tools IT professionals use to secure their networks. The resurgence of AsyncRAT through sophisticated DLL sideloading and search engine optimization (SEO) poisoning represents a critical shift from traditional, easily filtered phishing to high-visibility, “living-off-the-land” attacks that bypass conventional perimeters. This