Apple drops urgent patch against obtuse TriangleDB iPhone malware

Apple pushed several security fixes on Wednesday, including one for all iPhone and iPads used before September last year that has already been exploited by cyber snoops.

The vulnerability, tracked as CVE-2023-32434, "may have been actively exploited against versions of iOS released before iOS 15.7," according to Apple's security update. Exploiting this flaw allows the execution of arbitrary code with kernel privileges. This is the second patch that Apple has issued to fix the vulnerability. 

In July, the company released an update addressing the same issue for nearly every iPhone and iPad model as well as Apple Watches series 3 and later, and computers running macOS Ventura, Monterey, and Big Sur. 

This week's patch fixes CVE-2023-32434 in iOS 15.8 and iPadOS 15.8, and the update is available for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, Boris Larin, and Valentin Pashkov discovered the bug and reported it to Apple. According to the threat intel team, it was one of four then-zero-day vulnerabilities they found while investigating an espionage campaign dubbed Operation Triangulation.

The other three bugs discovered by Kaspersky researchers are: CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990, and they were used by still-unknown cyber spies to compromise essentially all manner of Apple products.

Someone got too ambitious

Kaspersky first reported on the previously unknown spyware on June 1, saying it had initially discovered TriangleDB on "several dozen" iPhones belonging to its own top and middle-management via network traffic analysis.  

The spyware requires no user interaction to infect victims' devices, remains "completely hidden" once it's planted, and then has access to all data and system information including microphone recordings, photos from messages and geolocation data, the Russian security shop said.

• Apple squashes kernel bug used by TriangleDB spyware
• Kremlin claims Apple helped NSA spy on diplomats via iPhone backdoor
• Side channel attacks take bite out of Apple silicon with iLeakage exploit
• Pro-Russia group exploits Roundcube zero-day in attacks on European government emails

"Following publication of the first report about the Operation Triangulation, we set up a mailbox for victims of similar attacks to be able to write to, and received emails from other users of Apple smartphones, claiming that they also found signs of infection on their devices," Kaspersky's global research and analysis team told The Register. 

These victims included security researchers based in Russia, Europe, the Middle East, Turkey and Africa.

"Judging by the cyberattack characteristics we're unable to link this cyberespionage campaign to any existing threat actor," they added.

IN response, Kaspersky has released a triangle_check tool that automatically scans iOS device backups for possible TriangleDB indicators of compromise.

The research team also promised to "shed light on more technical details in the near future." ®