Apple has released security patches to address two zero-day vulnerabilities (CVE-2023-32434 and CVE-2023-32439) exploited in the spyware campaign known as Operation Triangulation. The spyware TriangleDB, active since 2019 and discovered by cybersecurity firm Kaspersky, targets its victims by sending malicious attachments through iMessages.

image

While the exact threat actor behind the campaign remains unknown, the Russian government’s Federal Security Service (FSB) has accused the U.S. intelligence community of using the spyware to target Russian diplomats’ iPhones. The FSB alleged that thousands of iPhones, including domestic and foreign numbers linked to diplomatic missions and embassies in Russia, were infected.

Kaspersky conducted a six-month investigation into the exploitation chain and found that the spyware implant is deployed once the attackers gain root privileges. It operates solely in a device’s memory and disappears after a reboot, requiring reinstallation for continued access. The implant also self-deletes after 30 days, unless the attackers choose to extend its lifespan.

The researchers also discovered 24 commands sent by the malware, including file manipulation, keychain item extraction, and geolocation monitoring. Interestingly, one configuration file had a method named “populateWithFieldsMacOSOnly,” suggesting the potential use of the malware on MacOS devices as well.

Indicator of Compromise

SHA256
fd9e97cfb55f9cfb5d3e1388f712edd952d902f23a583826ebe55e9e322f730f