Cyber Security Threat Summary:
Apple recently addressed three zero-day vulnerabilities that were exploited in attacks to install spyware on iPhones via iMessage zero-click exploits. Below is a list of the CVEs:

CVE-2023-32434: A kernel integer overflow was addressed with improved input validation

CVE-2023-32435: A memory corruption issue in Apple WebKit was addressed with improved state management.

CVE-2023-32439: A type confusion issue in WebKit was addressed with improved checks.

The first two flaws were uncovered by researchers at Kaspersky, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin. According to Kaspersky, the vulnerabilities have been exploited in an ongoing campaign dubbed Operation Triangulation, which has been active since 2019.

“The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs spyware,” noted Kaspersky.

The spyware being deployed in these attacks is TriangleDB which is designed to establish encrypted connections with a command-and-control (C2) server and periodically send a heartbeat beacon containing the device metadata. Once a connection has been established, the C2 server will respond to the heartbeat messages with one of 24 commands that make it possible to dump iCloud Keychain data and load additional Mach-O modules in memory to harvest sensitive data. This includes file contents, geolocation, installed iOS applications, and running processes, among others

Security Officer Comments:
According to Kaspersky, since the implant is loaded into memory, all traces of the implant are lost when the device gets rebooted. "Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers."

Upon successful infection, researchers note that the attackers will also delete the initial iMessage to cover up their traces.

As of writing, attribution to a known threat group is unknown. However, the Russian government believes that the U.S. is behind these attacks and has allegedly broken into thousands of Apple devices belonging to domestic subscribers and foreign diplomats as part of a reconnaissance operation.

Suggested Correction(s):
CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439 impact the following device models:

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Macs running macOS Big Sur, Monterey, and Ventura

Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE

The flaws have been addressed in macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1 with improved checks, input validation, and state management.

Link(s):
https://www.bleepingcomputer.com/
https://support.apple.com/en-us/HT213811
https://securelist.com/triangledb-triangulation-implant/110050/