Kaspersky Says it is Being Targeted By Zero-Click Exploits

Written by

Russian AV vendor Kaspersky has claimed that iOS devices on its network are being targeted by sophisticated zero-day exploits.

The firm revealed in a blog post yesterday that “Operation Triangulation” likely dates back to 2019 and is ongoing.

“While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we noticed suspicious activity that originated from several iOS-based phones,” it explained.

“Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise.”

Read more on Kaspersky: NSA Contractor Downloaded Backdoor to PC, Says Kaspersky Lab.

The mvt-ios utility produced a timeline of events that enabled Kaspersky to recreate what happened.

It appears that targeted devices were sent an iMessage featuring an attachment containing the exploit. This triggered a vulnerability leading to code execution, without requiring any user interaction – known as a “zero-click” attack.

The malicious code in question then downloaded additional payloads from a command and control (C&C) server, including exploits for privilege escalation. The final payload is a “fully featured APT platform,” according to Kaspersky.

Finally, the original message and exploit in the attachment were deleted.

“The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting,” the blog continued.

“The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.”

The source of the malicious campaign and its end goal are still unclear, although on the same day as Kaspersky released its blog, the Russian security services (FSB) issued a brief statement blaming the US for a “reconnaissance operation” involving Apple devices.

“It was found that several thousand telephone sets of this brand were infected,” it claimed.

“At the same time, in addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR and China, were revealed.”

The FSB alleged without evidence that Apple had colluded with the US intelligence community in enabling this campaign.

Kaspersky asked the security community to share any details that might help the firm in its investigation.

Editorial image credit: Framesira / Shutterstock.com

What’s hot on Infosecurity Magazine?