Apple has released a new version of iOS that fixes three serious vulnerabilities that attackers have exploited in the wild.
One of the vulnerabilities (CVE-2023-32434) was used in a series of targeted attacks involving iMessaged with malicious attachments that triggered the bug and gave the attackers remote code execution on the compromised device. Researchers at Kaspersky discovered those attacks and disclosed them in early June and detailed some of the ways in which the malware used in the attacks behaved, as well as the initial attack vector. The attackers behind this operation have not been identified yet, but given the skill involved, it’s likely that a high-level APT team is responsible for it.
“The target iOS device receives a message via the iMessage service, with an attachment containing an exploit. Without any user interaction, the message triggers a vulnerability that leads to code execution. The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation. After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform. The initial message and the exploit in the attachment is deleted,” Kaspersky researchers said in a blog post on the attacks.
The specific vulnerability is an integer overflow in the iOS kernel and the exploit that Kaspersky observed affected iOS versions before 15.7. In the attacks that Kaspersky uncovered, the attackers exploited the vulnerability and then installed a malicious implant.
“The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers,” the researchers said.
“Once the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging data. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and lSf configuration fields). Normally, the implant uses the primary server, and, in case of an error, it switches to the fallback server by invoking the -[CRConfig swapLpServerType:] method.”
The second vulnerability Apple patched in the new release (CVE-2023-32435) is a memory corruption bug in the WebKit framework. That bug also has been exploited in the wild, and its discovery is credited to the Kaspersky researchers. The thirs zero day Apple fixed (CVE-2023-32439) only affects iOS 15.7 and is a type confusion flaw in WebKit.
Apple also patched the kernel vulnerability in macOS Monterey, Big Sur, and Ventura, and the WebKit bug in Ventura.