"Triangulation" infected dozens of iPhones belonging to employees of Moscow-based Kaspersky

[erek]

Spyware craft is interesting, from NSO Group's Pegasus to Candiru

"Kaspersky’s summary of the exploit chain is:

• Attackers send a malicious iMessage attachment, which is processed by the application without showing any signs to the user
• This attachment exploits vulnerability CVE-2023-41990 in the undocumented, Apple-only TrueType font instruction ADJUST for a remote code execution. This instruction existed since the early 90’s and the patch removed it.
• It uses return/jump oriented programming, multiple stages written in NSExpression/NSPredicate query language, patching JavaScriptCore library environment to execute a privilege escalation exploit written in JavaScript.
• This JavaScript exploit is obfuscated to make it completely unreadable and to minimize its size. Still it has around 11000 lines of code which are mainly dedicated to JavaScriptCore and kernel memory parsing and manipulation.
• It’s exploited JavaScriptCore’s debugging feature DollarVM ($vm) to get the ability to manipulate JavaScriptCore’s memory from the script and execute native API functions.
• It was designed to support old and new iPhones and included a Pointer Authentication Code (PAC) bypass for exploitation of newer models.
• It used an integer overflow vulnerability CVE-2023-32434 in the XNU’s memory mapping syscalls (mach_make_memory_entry and vm_map) to get read/write access to [the] whole physical memory of the device from the user level.
• It uses hardware memory-mapped I/O (MMIO) registers to bypass Page Protection Layer (PPL). This was mitigated as CVE-2023-38606.
• After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device and run spyware, but attackers chose to: a) launch the imagent process and inject a payload that cleans the exploitation artifacts from the device; b) run the Safari process in invisible mode and forward it to the web page with the next stage.
• Web page has the script that verifies the victim and, if the checks pass, it receives the next stage—the Safari exploit.
• Safari exploit uses vulnerability CVE-2023-32435 to execute a shellcode.
• Shellcode executes another kernel exploit in the form of mach object file. It uses the same vulnerabilities CVE-2023-32434 and CVE-2023-38606, it’s also massive in size and functionality, but it is completely different from the kernel exploit written in JavaScript. Only some parts related to exploitation of the above-mentioned vulnerabilities are the same. Still most of its code is also dedicated to the parsing and manipulation of the kernel memory. It has various post-exploitation utilities, which are mostly unused.
• Exploit gets root privileges and proceeds to execute other stages responsible for loading of spyware. We already covered these stages in our previous posts.

Wednesday’s presentation, titled What You Get When You Attack iPhones of Researchers, is a further reminder that even in the face of innovative defenses like the one protecting the iPhone kernel, ever more sophisticated attacks continue to find ways to defeat them.

Advertisement
"

https://arstechnica.com/security/20...on-campaign-targeted-secret-hardware-feature/

 

[Mchart]

This is why you don’t bring phones into critical areas.. You can be certain if you’re doing important enough work that your phone can be compromised.

 

[ng4ever]

This is why you don’t bring phones into critical areas.. You can be certain if you’re doing important enough work that your phone can be compromised.

Bingo.

 

[LukeTbk]

This is why you don’t bring phones into critical areas.. You can be certain if you’re doing important enough work that your phone can be compromised.

In some like of works in some country, if we are to believe some testimony, that would be suspicious (same would go for a well enough encrypted-protected computer that the governement-employer cannot verify when they enter during the day), same goes for having well protected communications.

The why don't you want your phone triangulated question arising is not necessarily an option for everyone.

 

[UnknownSouljer]

It also shows that these phones are pretty secure. It takes a very sophisticated attack to breech them. The plugging of any of these holes prevents the entire chain from being viable.

It’s like cracking a bank vault, having to do so many things to exploit the smallest weakness, and requiring dozens of steps along the way.

 

[erek]

It also shows that these phones are pretty secure. It takes a very sophisticated attack to breech them. The plugging of any of these holes prevents the entire chain from being viable.

It’s like cracking a bank vault, having to do so many things to exploit the smallest weakness, and requiring dozens of steps along the way.

it seems pretty janky that these groups are formulating actual corporate entities/companies with a business surrounding these "products" of spyware and Ransomware As A Service

look at NSO Group's Pegasus for example.. over a $1 Billion dollar market cap (and this was known years ago.. could be multiple-billions now)

 

[Mchart]

it seems pretty janky that these groups are formulating actual corporate entities/companies with a business surrounding these "products" of spyware and Ransomware As A Service

look at NSO Group's Pegasus for example.. over a $1 Billion dollar market cap (and this was known years ago.. could be multiple-billions now)

They're no different than any other defense contractor. They get contracts from their hosting government to build these things for cyber warfare. Most of these high-end capabilities aren't designed in house by governments anymore - It's all done under contract. Same reason the government doesn't design the latest planets, missiles, etc themselves.

Attacks like these are irrelevant to 99.9999% of people out there. A nation is only going to utilize and burn these held zero days in highly targeted attacks.

 

[erek]

Additional interpretation,

https://9to5mac.com/2023/12/27/most-sophisticated-iphone-attack-chain-ever-seen/

 

[w1retap]

Man are they dense.

We are publishing the technical details, so that other iOS security researchers can confirm our findings and come up with possible explanations of how the attackers learned about this hardware feature.

Insiders, that's how. China, Russia, USA, etc.. they all have spies within the companies who make the hardware and software. Actual engineers with a dual role. One, to work for the company as a normal employee to make the greatest most technologically advanced products on the market, and two -- to work for the <insert government> and know where all the exploitable areas are (or insert them into the design on purpose).

 

[Nobu]

It also shows that these phones are pretty secure. It takes a very sophisticated attack to breech them. The plugging of any of these holes prevents the entire chain from being viable.

It’s like cracking a bank vault, having to do so many things to exploit the smallest weakness, and requiring dozens of steps along the way.

Not necessarily. There may be similar holes in adjacent/related code, or other holes which would allow access to the same (or close enough) entry point. Security/bug discovery often shines light on multiple related bugs in other parts of the code -- some exploitable, some benign.

 

[UnknownSouljer]

Not necessarily. There may be similar holes in adjacent/related code, or other holes which would allow access to the same (or close enough) entry point. Security/bug discovery often shines light on multiple related bugs in other parts of the code -- some exploitable, some benign.

I think the bank vault analogy is pretty apt. There is nothing that isn't crack-able with time, research, and effort. There is a big difference between the exploits currently necessary to crack a phone and something any basic warez cracker can do.

If just anyone could crack all of this, considering that phones contain billions of dollars in financial data (between all holders), there would be significantly more stolen money through phones if nothing else. As it stands, human hacking works far better there than trying to hack a phone. The fact that that isn't the case, and that we're mostly talking about governmental level speaks volumes. Hence "sophisticated attack". When you can show me that 'ordinary' exploiters are able to steal everything off of a phone in the wild, we'll have a different conversation. Considering that we're not, I'll keep my position.

 

[erek]

I think the bank vault analogy is pretty apt. There is nothing that isn't crack-able with time, research, and effort. There is a big difference between the exploits currently necessary to crack a phone and something any basic warez cracker can do.

If just anyone could crack all of this, considering that phones contain billions of dollars in financial data (between all holders), there would be significantly more stolen money through phones if nothing else. As it stands, human hacking works far better there than trying to hack a phone. The fact that that isn't the case, and that we're mostly talking about governmental level speaks volumes. Hence "sophisticated attack". When you can show me that 'ordinary' exploiters are able to steal everything off of a phone in the wild, we'll have a different conversation. Considering that we're not, I'll keep my position.

Did you see how they cracked open the solarwinds DevOps build pipeline with the signing keys to just build their own with the Sunburst ransomware part?

So for 8 months even the deep state was patching and upgrading into the vulnerabilities from the official source of Solarwinds

 

[d3athf1sh]

I think the bank vault analogy is pretty apt. There is nothing that isn't crack-able with time, research, and effort. There is a big difference between the exploits currently necessary to crack a phone and something any basic warez cracker can do.

If just anyone could crack all of this, considering that phones contain billions of dollars in financial data (between all holders), there would be significantly more stolen money through phones if nothing else. As it stands, human hacking works far better there than trying to hack a phone. The fact that that isn't the case, and that we're mostly talking about governmental level speaks volumes. Hence "sophisticated attack". When you can show me that 'ordinary' exploiters are able to steal everything off of a phone in the wild, we'll have a different conversation. Considering that we're not, I'll keep my position.

you should really watch this when you get a min. this vid is gaining a few years in age now but it's no less important. it goes over a lot of the spying techniques uncovered from the info that was stolen/leaked by snowden. so it can only be worse now.
so just keep on thinking you're "so safe" with your iphone. even after every celeb with one has had their data/nudy pics stolen and shared with the world.

View: https://www.bitchute.com/video/OSjGdUo4hmA0/

 

[Mchart]

you should really watch this when you get a min. this vid is gaining a few years in age now but it's no less important. it goes over a lot of the spying techniques uncovered from the info that was stolen/leaked by snowden. so it can only be worse now.
so just keep on thinking you're "so safe" with your iphone. even after every celeb with one has had their data/nudy pics stolen and shared with the world.

View: https://www.bitchute.com/video/OSjGdUo4hmA0/

You are safe assuming you’re not a Russian diplomat, etc. I can assure you they aren’t going to burn a zero day capability on your worthless ass

 

[uOpt]

This is also a lesson in security software. Complex security software always open new attack surface. And as we see here, the software and the people making it are prime targets.

 

[d3athf1sh]

You are safe assuming you’re not a Russian diplomat, etc. I can assure you they aren’t going to burn a zero day capability on your worthless ass

keep telling yourself that

edit: you should have watched that whole thing, it gets more interesting the longer it goes. way more interesting, as well as debunk all your "secure apple" claims.

and i guess they want julian assange and edward snowden dead becuase it's all just "in theory". nope this is all real shit. even seen the movie "enemy of the state"? that's based off facts. that's how things play out for some people.

 

[Okatis]

I like the half a dozen different icons all describing some kind of exploit. Grenade, dynamite, skull, bolt, etc. Flavorful!

 

[uOpt]

6 CVEs for one breakin is quite something.

 

[Mchart]

keep telling yourself that

edit: you should have watched that whole thing, it gets more interesting the longer it goes. way more interesting, as well as debunk all your "secure apple" claims.

and i guess they want julian assange and edward snowden dead becuase it's all just "in theory". nope this is all real shit. even seen the movie "enemy of the state"? that's based off facts. that's how things play out for some people.

You need to better define some people. Unless you're getting briefed at the daily brief at White House level, etc I can again assure you that the government isn't going to waste the money and fuel to re-orient a space aperture to track you, or waste a premier zero-day capability for iPhone. But if you want to believe that, by all means do so.

 

[d3athf1sh]

You need to better define some people. Unless you're getting briefed at the daily brief at White House level, etc I can again assure you that the government isn't going to waste the money and fuel to re-orient a space aperture to track you, or waste a premier zero-day capability for iPhone. But if you want to believe that, by all means do so.

so you're saying it was top level cia and government officials that released the stolen celebrities nude photos from icloud?

 

[d3athf1sh]

You need to better define some people. Unless you're getting briefed at the daily brief at White House level, etc I can again assure you that the government isn't going to waste the money and fuel to re-orient a space aperture to track you, or waste a premier zero-day capability for iPhone. But if you want to believe that, by all means do so.

if you didn't watch that other vid i posted at least check out this one, it's about this thread's topic

View: https://youtu.be/EfcyNZ8_rk0

 

[Mchart]

so you're saying it was top level cia and government officials that released the stolen celebrities nude photos from icloud?

Entirely different type of attack from this. Not even remotely similar in level of sophistication, and also before iCloud even offered end to end encryption, etc.

 

[erek]

you should really watch this when you get a min. this vid is gaining a few years in age now but it's no less important. it goes over a lot of the spying techniques uncovered from the info that was stolen/leaked by snowden. so it can only be worse now.
so just keep on thinking you're "so safe" with your iphone. even after every celeb with one has had their data/nudy pics stolen and shared with the world.

View: https://www.bitchute.com/video/OSjGdUo4hmA0/

Yea, amnesia as a collective society is so bad

We forget everything

Isn’t it public knowledge that the deep state can monitor phones even while powered off? Only way to stop it is to remove the battery

Deep state and not some third party foreign company producing janky Spyware As A Service like NSO Group Pegasus

 

[erek]

Cyberattack Targets Albanian Parliament's Data System, Halting Its Work​ Anonymous Coward 6 hours ago

1

An anonymous reader quotes a report from SecurityWeek: Albania's Parliament said on Tuesday that it had suffered a cyberattack with hackers trying to get into its data system, resulting in a temporary halt in its services. A statement said Monday's cyberattack had not "touched the data of the system," adding that experts were working to discover what consequences the attack could have. It said the system's services would resume at a later time. Local media reported that a cellphone provider and an air flight company were also targeted by Monday's cyberattacks, allegedly from Iranian-based hackers called Homeland Justice, which could not be verified independently.

 

[westrock2000]

so you're saying it was top level cia and government officials that released the stolen celebrities nude photos from icloud?

At the time, seeing voyeur nudes of Jennifer Lawerence was as socially valuable as spying on government or military entities. Being able show expose a famous celebrity brings a lot of clout and temptation. And of course, cracking an iPhone is among the holy grail. So pushing through the perception that iPhones were compromised also has a lot of value (for many different people, not just hackers). Wouldn’t most of the people here love to say iPhones and Apple are dangerous?

 

[Mchart]

At the time, seeing voyeur nudes of Jennifer Lawerence was as socially valuable as spying on government or military entities. Being able show expose a famous celebrity brings a lot of clout and temptation. And of course, cracking an iPhone is among the holy grail. So pushing through the perception that iPhones were compromised also has a lot of value (for many different people, not just hackers). Wouldn’t most of the people here love to say iPhones and Apple are dangerous?

The key detail here is at the time hacking iPhones and iCloud was also trivial, and there was zero encryption across the entire chain.

 

[westrock2000]

The iPhone nor iCloud were hacked for the Fappening. The users were hacked and passwords were collected. But if people were selective in how they discussed it, it gave the perception that Apple products had been compromised. And THAT was the story many wanted. We just had to see a soccer players butthole to get there.

 

[LukeTbk]

The hack was because of a simple flaw, find my cloud feature did not limit the number of password tried people could run and people brute forced did find the password by simply trying a lot of them, some icloud had enough value to run it for very long, some celeb had answer of the type name of the dog in the forget my password people knew, etc....

That completely different, so much that using the word hacked feel a bit wrong for it.

 

[Thunderdolt]

Does the attack in the OP require the victim to open the PDF? Or simply receive it?

 

[Mchart]

Does the attack in the OP require the victim to open the PDF? Or simply receive it?

No, just receive it via iMessage. The entire attack used four individual zero days together to operate. It's pretty boutique and high-end, and given Kaspersky released the details - It's pretty easy to guess who used it and who got owned.

 

[w1retap]

Does the attack in the OP require the victim to open the PDF? Or simply receive it?

Looks like just the mere act of receiving the file, because it automatically parses the file when received. The TTF exploit then begins the chain of events.

 

[erek]

No, just receive it via iMessage. The entire attack used four individual zero days together to operate. It's pretty boutique and high-end, and given Kaspersky released the details - It's pretty easy to guess who used it and who got owned.

Is it patched yet?

 

[Mchart]

Is it patched yet?

Yes, it's been patched for a year since iOS 16.2

 

[UnknownSouljer]

you should really watch this when you get a min. this vid is gaining a few years in age now but it's no less important. it goes over a lot of the spying techniques uncovered from the info that was stolen/leaked by snowden. so it can only be worse now.
so just keep on thinking you're "so safe" with your iphone.

View: https://www.bitchute.com/video/OSjGdUo4hmA0/

What you're describing here is a total own of every device on the planet using again: incredibly sophisticated attacks. Attacks that individuals aren't capable of doing.

This is larger scale NSA stuff that required a massive apparatus, including specialized hardware development for this purpose and deployment (manpower) to do. It's literally something only a government with its resources can do. Even if we hold all things in the video to be true such as: not disclosing vulnerabilities (fairly likely) and even the most conspiracy minded options like: "every company is bought off to keep exploits" (possibly likely, depending on the greed and ability of said company to keep quiet at a massive scale... which may be less likely), all of these things are the absolute definition of a very elaborate sophisticated attack.

Unless you're next going to tell me that individuals have resources to develop hardware, intercept other peoples literal packages through the post office to install malicious hardware, can blast people with RF radiation, etc. The average hacker in mom's basement making $75k+/- a year doesn't have access to this level of resource. If they did, that conference in the video would not only simply be able to talk about leaked NSA slides, they'd also be able to demonstrate the hardware in action... because they'd have access to it.

I'm not saying we do or don't have to worry about the NSA. That isn't and hasn't been the point. I sincerely hope that individuals, companies, and governments all do their part to prevent dragnet spying and make the internet as well as hardware more secure. Just underlying that this particular hack isn't something some schmoe in a basement could easily recreate.

even after every celeb with one has had their data/nudy pics stolen and shared with the world.

As was mentioned from other people that was done via Spearfishing.
https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak
Not to say that social engineering hacks aren't hacks, they are. But there is a big difference between doing any form of social engineering hack and something as sophisticated as exploiting 4 zero days and doing 12 steps to gain remote access to a phone.

You've more or less only been proving my point. That all of this requires a significant amount of resource and effort to do as well as a huge amount of sophistication. Hence again why everyone's phones that contain banking information hasn't drained to zero from hackers in India and Nigeria.

Are the devices pretty secure? I'd say so, other than again to go with my bank-vault analogy: people with a huge amount of time and resources throwing what they have at it. Bank vault keeps out pretty much everyone without a government level of resources is saying something. However no amount of security is good enough if people own themselves.

if you didn't watch that other vid i posted at least check out this one, it's about this thread's topic

View: https://youtu.be/EfcyNZ8_rk0

Mostly helpful to make the topic easier to digest, but doesn't really add anything for those that spent the time reading.

The question I suppose now is: how many of those zero days are still in the wild? Apple 'supposedly' patched several of them earlier in January of this year. Theoretically this exact hack is no longer possible on an updated device. Theoretically "just" patching the 4 zero days would make significantly more development necessary to get a phone back into total own state.

 

[w1retap]

The question I suppose now is: how many of those zero days are still in the wild? Apple 'supposedly' patched several of them earlier in January of this year. Theoretically this exact hack is no longer possible on an updated device. Theoretically "just" patching the 4 zero days would make significantly more development necessary to get a phone back into total own state.

Plenty more that are not known by the public. The intentional zero days are patched when discovered by the 3rd party, or when they've served their purpose for use and could be exposed/used by adversaries.

 

[UnknownSouljer]

Plenty more that are not known by the public. The intentional zero days are patched when discovered by the 3rd party, or when they've served their purpose for use and could be exposed/used by adversaries.

It's well known that it's always a game of whack-a-mole. There is nothing that is 100% secure ever. However how long and how expensive it is to get new exploits is more or less the question. Theoretically it gets more and more difficult as time goes on, provided that the US isn't deliberately installing cripple-hard-ware directly onto boards.

 

[freeagentt]

So if you get a random text from a number you dont know, and it has a link to a .pdf.. dont click it. Got it.

 

[Mchart]

So if you get a random text from a number you dont know, and it has a link to a .pdf.. dont click it. Got it.

I guess you didn't read the article at all.

 

[erek]

I guess you didn't read the article at all.

 

[uOpt]

So if you get a random text from a number you dont know, and it has a link to a .pdf.. dont click it. Got it.

No click required.