Hi all, today we have very big and important news.
Kaspersky experts have discovered an extremely complex, professionally targeted cyberattack that uses Apple’s mobile devices. The purpose of this attack is the inconspicuous introduction of spyware into the iPhones of employees of the company – both top and middle-management.
The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on the device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. Further, the spyware also quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.
The attack is carried out as discreetly as possible, however, the fact of infection was detected by Kaspersky Unified Monitoring and Analysis Platform (KUMA), a native SIEM solution for information and event management; the system detected an anomaly in our network coming from Apple devices. Further investigation from our team showed that several dozen iPhones of our employees were infected with a new, extremely technologically sophisticated spyware we dubbed ‘Triangulation.’
Due to the closed nature of iOS, there are no (and cannot be) any standard operating system tools for detecting and removing this spyware on infected smartphones. To do this, you need to resort to external tools.
An implicit indication of the presence of Triangulation on the device is the disabling of the ability to update iOS. For more accurate recognition of infection, you will need to take a backup copy of the device and check it with a special utility. More detailed recommendations are set out in this technical article on Securelist. We are also developing a free detection utility and will make it available after testing.
Due to the peculiarities of blocking iOS updates on infected devices, we have not yet found an effective way to remove spyware without losing user data. This can only be done by resetting infected iPhones to factory settings, installing the latest version of the operating system and the entire user environment from scratch. Otherwise, even if the spyware is deleted from the device memory following a reboot, Triangulation is still able to re-infect through vulnerabilities in an outdated version of iOS.
This report into Operation Triangulation is just the beginning of the investigation of this sophisticated attack. Today we publish the first results of the analysis, but there is still a lot of work ahead. As the incident is investigated, we will publish new data in a dedicated post on Securelist and draw a line on the work done at the international Security Analyst Summit in October (follow the news on the site).
We are quite confident that Kaspersky was not the main target of this cyberattack. The coming days will bring more clarity and further details on the worldwide proliferation of the spyware.
We believe that the main reason for this incident is the proprietary nature of iOS. This operating system is a “black box” in which spyware like Triangulation can hide for years. Detecting and analyzing such threats is made more difficult by Apple’s monopoly of research tools, making it the perfect haven for spyware. In other words, as I have said more than once, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to the cybersecurity experts. The absence of news about the attacks does not at all indicate the impossibility of the attacks themselves – as we have just seen.
I would like to remind you that this is not the first case of a targeted attack against our company. We are well aware that we work in a very aggressive environment and have developed appropriate incident response procedures. Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized. We continue to protect you, as always.
P.S. Why ‘Triangulation’?
To recognize the software and hardware specifications of the attacked system, Triangulation uses Canvas Fingerprinting technology and draws a yellow triangle in the device’s memory.
Leave a Reply