A previously unknown Advanced Persistent Threat (APT) is targeting iOS devices , this includes a pair of zero days that were weaponized in a sophisticated device surveillance campaign called Operation Triangulation that began in 2019 . The exact threat actor is not yet known.

“Targets are infected using zero-click exploits via the iMessage platform , and the malware runs with root privileges, gaining complete control over the user’s device and data,” Kaspersky said .

• CVE-2023-32434 – An integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.
• CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

Apple said it was aware that the two issues “may have been exploited to attack versions of iOS released before iOS 15.7 ,” thanking Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin for reporting them.

The alert comes as the Russian cybersecurity vendor created an offline backup of the targeted devices, discovered traces of infection and dissected the spyware implant used in the zero-click attack campaign.

iOS devices via iMessages receive a message that contains an attachment embedded with a kernel Remote Code Execution (RCE) vulnerability exploit.

The exploit code, which is said to be a zero-click, (meaning that receiving the message activates the device vulnerability, without requiring any interaction, i.e. click, on the part of the user to achieve code execution) is also designed to download add-ons to get root privileges on the target device, after which the backdoor is deployed in memory and the initial iMessage is deleted to hide the trace of the infection.

The sophisticated implant, called TriangleDB , operates exclusively in memory, leaving no trace of its activity after the device is rebooted . It also comes with several data collection and tracking capabilities. This includes “interacting with the device’s file system (including creating, modifying, exfiltrating and removing files), managing processes, extracting encryption key elements to collect victim credentials and monitoring the geolocation of the victim, among other things.”

In an effort to complete the puzzle of the attack and put its different parts together, Kaspersky has released a utility called “ triangle_check ” that organizations can use to scan backups of iOS devices and look for any signs of compromise on their devices.

Apple also released a path to a third zero-day CVE-2023-32439 , which was reported anonymously and may lead to arbitrary code execution when processing malicious web content.

The exploited flaw has been resolved with improved controls. Updates are available for the following platforms:

• iOS 16.5.1 and iPadOS 16.5.1 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• iOS 15.7.7 and iPadOS 15.7.7 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
• macOS Ventura 13.4.1 , macOS Monterey 12.6.7 , and macOS Big Sur 11.7.8
• watchOS 9.5.2 – Apple Watch Series 4 and later
• watchOS 8.8.1 – Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7 and SE and
• Safari 16.5.1 – Mac with macOS Monterey

With the latest round of fixes, Apple has addressed a total of nine zero-day infections across its products since the beginning of the year.

In February, the company patched a WebKit flaw that could lead to remote code execution. In April, it released updates to fix two bugs that allowed code to run with elevated privileges.

Then in May, it deployed patches for three more vulnerabilities in WebKit, which could allow hackers to escape sandbox protection, access sensitive data, and execute arbitrary code.

In conjunction with the Kaspersky report, the Russian Federal Security Service (FSB) released a statement accusing US intelligence agencies of the breach “several thousand” Apple devices belonging to domestic subscribers and foreign diplomats, through hitherto unknown routes as part of a “reconnaissance operation”.

The FSB also said that insights showed “close cooperation” between Apple and the National Security Agency (NSA). No other technical details were provided. Apple , in a statement shared with The Hacker News, said it has “never worked with any government to place a backdoor in any Apple product and never will.”