Operation Triangulation: Zero-Click iPhone Malware – Schneier on Security
Operation
Triangulation:
Zero-Click
iPhone
Malware
Kaspersky
is
reporting
a
zero-click
iOS
exploit
in
the
wild:
Mobile
device
backups
contain
a
partial
copy
of
the
filesystem,
including
some
of
the
user
data
and
service
databases.
The
timestamps
of
the
files,
folders
and
the
database
records
allow
to
roughly
reconstruct
the
events
happening
to
the
device.
The
mvt-ios
utility
produces
a
sorted
timeline
of
events
into
a
file
called
“timeline.csv,”
similar
to
a
super-timeline
used
by
conventional
digital
forensic
tools.Using
this
timeline,
we
were
able
to
identify
specific
artifacts
that
indicate
the
compromise.
This
allowed
to
move
the
research
forward,
and
to
reconstruct
the
general
infection
sequence:
- The
target
iOS
device
receives
a
message
via
the
iMessage
service,
with
an
attachment
containing
an
exploit.- Without
any
user
interaction,
the
message
triggers
a
vulnerability
that
leads
to
code
execution.- The
code
within
the
exploit
downloads
several
subsequent
stages
from
the
C&C
server,
that
include
additional
exploits
for
privilege
escalation.- After
successful
exploitation,
a
final
payload
is
downloaded
from
the
C&C
server,
that
is
a
fully-featured
APT
platform.- The
initial
message
and
the
exploit
in
the
attachment
is
deletedThe
malicious
toolset
does
not
support
persistence,
most
likely
due
to
the
limitations
of
the
OS.
The
timelines
of
multiple
devices
indicate
that
they
may
be
reinfected
after
rebooting.
The
oldest
traces
of
infection
that
we
discovered
happened
in
2019.
As
of
the
time
of
writing
in
June
2023,
the
attack
is
ongoing,
and
the
most
recent
version
of
the
devices
successfully
targeted
is
iOS
15.7.
No
attribution
as
of
yet.
Sidebar
photo
of
Bruce
Schneier
by
Joe
MacInnis.