The Russian cyber security firm, Kaspersky, found new Zero-click iOS malware on its phones and eventually on many Russian government workers iPhones (mainly diplomats working in Embassies around Europe). They have dubbed this new malware “Triangulation”.
The basic details of the malware are described by Kaspersky as:
The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on the device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. Further, the spyware also quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.
The attack is carried out as discreetly as possible, however, the fact of infection was detected by Kaspersky Unified Monitoring and Analysis Platform (KUMA), a native SIEM solution for information and event management; the system detected an anomaly in our network coming from Apple devices. Further investigation from our team showed that several dozen iPhones of our employees were infected with a new, extremely technologically sophisticated spyware we dubbed ‘Triangulation.”
A very good write up from ars technica: ars technica article
The important take aways regarding the technical details (and avoiding the obvious international politics):
The latest iOS infected was 15.7, so lockdown mode was not in play (lockdown mode debuted in iOS 16). Unknown if the exploit chain was patched in later versions or the iOS version is just coincident with the malware campaign timing.
Kaspersky discovered the infections due to suspicious network activity
Payload was delivered via iMessage attachment, type of attachment is not discussed
Malware was not persistent and was wiped on reboot of the phone - though in one case the target was re-infected within minutes of rebooting their phone
Further technical details are due to be released in the coming days and weeks as the forensic analysis continues
No word yet on an Android equivalent being used by the same threat actor (historically iPhones have proved easier to do forensics on as the operating system hangs on to more artifacts)
Those are the facts. As for stuff we don’t know for sure yet…
My initial thought goes immediately to Lockdown mode. My speculation is that this likely would have been stopped by Lockdown Mode due to the delivery mechanism being a malicious iMessage attachment. Lockdown Mode blocks iMessage attachments other than images. Pegasus used a malicious PDF to deliver its zero-click exploit package, something similar may have been involved here.
The second thought is how this was discovered, via network activity. Presumably that was the C2 infrastructure talking with infected phones. Could DNS defenses have stopped the infection? Unknown for now but if so it means that is a very effective defense against these zero-day and zero-click attacks. Assuming your DNS filtering could identify in real time malicious or likely-malicious domains either via algorithm or ruleset (blocking newly registered domains as one such rule).
As an example, Pegasus used a complex exploit chain that required the full malware to be uploaded remotely. The initial iMessage attack was just to force the phone to open a malicious url in Safari where the actual malware package was downloaded to the phone. Essentially it was forcing a ‘click’ to the url without user interaction needed. In theory, if those Pegasus domains were blocked at the DNS level it would have prevented infection (most security oriented DNS services like nextDNS and Quad9 now block known NSO associated domains).
This kind of news can be very upsetting and make much of what we do to protect our privacy and security feel futile. However, we are actually far safer now from these kinds of attacks than just a few years ago thanks to hard work from people like Citizen Lab that brought public attention to this threat. These kinds of attacks have always been around and it is only through recent awareness that we can begin to arm ourselves to defend against them through individual awareness/actions. Additionally by making it an issue that affects sales of devices it is driving companies like Apple and Google to further harden their devices/services.