Russian AV vendor Kaspersky claimed iOS devices on its network were targeted with a sophisticated zero-day exploit.
In a blog post yesterday, the company revealed that the “Operation Triangulation” probably dates back to 2019 and is still ongoing.
“While using the Kaspersky Unified Monitoring and Analysis Platform (KUMA) to monitor network traffic on our corporate Wi-Fi network dedicated to mobile devices, we noticed suspicious activity originating from several iOS-based mobile phones. ,” the company explains.
“Because it is impossible to inspect modern iOS devices from the inside, we created an offline backup of the device in question and inspected it using mvt-ios from the Mobile Verification Toolkit to discover indicators of compromise. “
Read more about Kaspersky: Kaspersky Lab says NSA contractor downloaded backdoor to PCs
The mvt-ios utility created a timeline of events that allowed Kaspersky to recreate what happened.
The targeted device was apparently sent an iMessage featuring an attachment containing the exploit. This led to a code execution vulnerability without user intervention, known as a “zero-click” attack.
The malicious code in question then downloaded an additional payload from a command and control (C&C) server containing an exploit for privilege escalation. According to Kaspersky, the final payload is “his APT platform with full functionality.”
Ultimately, the original message and exploit in the attachment were removed.
“The malicious toolset does not support persistence. This is likely due to OS limitations. Timelines on multiple devices indicate that it can be reinfected after a reboot.” continued the blog.
“Analysis of the final payload is still pending. This code runs with root privileges, implements a set of commands to collect system and user information, and implements any arbitrary payload downloaded as a plugin module from the C&C server. code can be executed.”
The source of the malicious campaign and its ultimate goal are not yet clear, but on the same day Kaspersky published the blog, the Russian Security Service (FSB) announced that the United States had carried out a “reconnaissance operation” involving Apple devices. issued a short statement accusing him of doing so.
“Thousands of phones of this brand have been found to be infected,” the company claimed.
“At the same time, in addition to domestic subscribers, we also learned that foreign numbers and subscribers using SIM cards registered in NATO and former Soviet Union countries, Russian diplomatic missions and embassies abroad, including Israel, were infected. Revealed ” , SAR and China revealed. “
The FSB claimed, without evidence, that Apple colluded with US intelligence agencies in enabling the campaign.
Kaspersky has asked the security community to share details that might help the company’s investigation.
Editorial image credit: Framesira / Shutterstock.com
