Exploiting Apple SoC Hardware Feature: The Intricate Attacks on Kaspersky Employees’ iPhones

A hardware feature present in an Apple system-on-a-chip (SoC) was recently exploited in a series of attacks targeting the iPhones of Kaspersky senior employees. These attacks successfully bypassed Apple’s protections and installed sophisticated spyware on the compromised devices, raising concerns about the vulnerabilities in the iOS ecosystem.

Exploitation of iOS Zero-Day Vulnerabilities

In a highly coordinated campaign, the attackers exploited multiple iOS zero-day vulnerabilities. Their main objective was to execute arbitrary code and install spyware on the targeted iPhones. These zero-day vulnerabilities, which were previously unknown and had no available patches, allowed the attackers to gain unauthorized access to the devices.

Introduction to TriangleDB Spyware Implant

The spyware implant used in these attacks, dubbed TriangleDB, was specifically designed to remain stealthy and undetectable. Its infection chain involved a series of checks and log-erasing actions, making it challenging to identify and remove the malware. TriangleDB effectively flew under the radar, enabling the attackers to maintain persistent access to the compromised iPhones.

Apple’s Response and Patch Deployment

Responding swiftly, Apple released patches to address three of the exploited vulnerabilities in June and July. Importantly, Apple stated that these vulnerabilities were only exploitable on iOS versions before iOS 15.7. While this brought some relief, it also highlighted the critical need for users to keep their devices updated with the latest security patches.

Details of the Attack Methodology

The initial attack vector involved the delivery of malicious iMessage attachments. These attachments contained a remote code execution (RCE) zero-day exploit that enabled the deployment of TriangleDB without any user interaction. The attackers leveraged the flaw to discreetly infiltrate the targeted iPhones.

Exploitation of Additional Zero-Day Flaws

In addition to the RCE zero-day, two other zero-day vulnerabilities were exploited in the infection chain. One of these vulnerabilities resided in the Apple-only ADJUST TrueType font instruction, paving the way for the attackers to bypass hardware-based security protections. The other zero-day flaw, CVE-2023-38606, held particular interest due to its exploitation of hardware memory-mapped I/O (MMIO) registers.

Focus on CVE-2023-38606

CVE-2023-38606 allowed attackers to exploit JavaScript and utilize hardware MMIO registers to bypass the Page Protection Layer (PPL), a crucial security measure. Importantly, the MMIO registers used in the attack did not belong to the known MMIO ranges of peripheral devices in Apple products, as defined and stored in the DeviceTree file format. This raised questions about the purpose and origin of this unknown hardware feature.

Identification of the MMIO Registers’ Origin

Further analysis by Kaspersky revealed that the targeted MMIO registers belonged to the GPU coprocessor. By abusing these registers, the attackers gained the ability to write to memory, bypass existing security protections, and achieve remote code execution (RCE). The involvement of the GPU coprocessor added an intriguing layer of sophistication to the attack.

Abusing the GPU Coprocessor to Achieve Remote Code Execution (RCE)

Exploiting the GPU coprocessor’s registers allowed the attackers to execute code and manipulate memory, providing them with a pathway to take control of the compromised iPhones. By leveraging this previously unknown hardware feature, the attackers bypassed Apple’s defenses and successfully achieved their objective of installing TriangleDB and carrying out reconnaissance on the targeted victims.

Unanswered Questions Regarding the Unknown Hardware Feature

The discovery of this unknown hardware feature raises numerous unanswered questions. Its purpose, origin, and potential implications remain poorly understood. This abnormal vulnerability has prompted further investigation by security researchers and Apple to comprehend its inner workings and determine the necessary remediation measures.

The sophisticated attacks targeting Kaspersky senior employees’ iPhones revealed the abuse of a hardware feature inherent in Apple’s SoC. By exploiting multiple iOS zero-day vulnerabilities and utilizing the GPU coprocessor’s registers, the attackers successfully bypassed protections, installed spyware, and gained control over the compromised devices. This incident underscores the importance of continuous vigilance and regularly updating devices with security patches to mitigate the risks posed by emerging threats in the ever-evolving landscape of mobile security.

Explore more

Why Do Talent Management Strategies Fail and How to Fix Them?

What happens when the systems meant to reward talent and dedication instead deepen unfairness in the workplace? Across industries, countless organizations invest heavily in talent management strategies, aiming to build a merit-based culture where the best rise to the top. Yet, far too often, these efforts falter, leaving employees disillusioned and companies grappling with inequity and inefficiency. This pervasive issue

Mastering Digital Marketing for NGOs in 2025: A Guide

In a world where over 5 billion people are online daily, NGOs face an unprecedented opportunity to amplify their missions through digital channels, yet the challenge of cutting through the noise has never been greater. Imagine an organization like Dianova International, working across 17 countries on critical issues like health, education, and gender equality, struggling to reach the right audience

How Can Leaders Prepare for the Cognitive Revolution?

Embracing the Intelligence Age: Why Leaders Must Act Now Imagine a world where machines not only perform tasks but also think, learn, and adapt alongside human workers, transforming every industry from manufacturing to healthcare in ways we are only beginning to comprehend. This is not a distant dream but the reality of the cognitive industrial revolution, often referred to as

Why Do Leaders Lack Empathy During Layoffs? New Survey Shows

Introduction In the current business landscape, layoffs have become a stark reality, cutting across industries from technology to retail, with countless employees facing the uncertainty of job loss. A staggering 53% of workers globally express fear of being laid off within the next year, reflecting a pervasive anxiety that shapes workplace dynamics and underscores a critical challenge for leaders. How

Trend Analysis: AI Content Scraping Ethics

In a striking clash that has reverberated through the digital media landscape, People Inc. CEO Neil Vogel recently accused tech giant Google of acting as a “bad actor” by scraping publisher content for AI training without fair compensation, highlighting a growing tension as artificial intelligence tools reshape how content is consumed and monetized. This conflict, spotlighted during a major industry