Apple Fixes 0-Days — Russia Says US Used for Spying
‘Triangulation’ spyware said to use backdoor Apple gave to NSA.
Kremlin iPhones have been riddled with “NSA” spyware for years, complains Russia. You might recall this first blowing up three weeks ago, when I rounded up the tit-for-tat Trojan talk.
Now Apple finally fixed the bugs. In today’s SB Blogwatch, we ponder useful idiocy.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mona moans.
Vulns Unpatched for Four Years
What’s the craic? Joseph Menn reports—“Apple fixes iPhone software flaws used in widespread hacks of Russians”:
“High-end spyware”
Apple … said it had fixed two newly discovered security flaws in its iPhones and iPads … underscoring the seriousness of a campaign that Russian intelligence blamed on the United States. … Kaspersky said previously that the attack worked by sending an iMessage with a malicious attachment.
…
Kaspersky in the past has exposed a number of the most sophisticated spying tools the NSA is known to have worked on, including some related to Stuxnet, which disabled Iranian uranium enrichment tools. … The infection technique used in Triangulation is similar to that used by NSO and other vendors of high-end spyware.
What’s the Kaspersky connection? Sergiu Gatlan explains—“Apple fixes zero-days”:
“Apple provided the NSA with a backdoor”
The two security flaws were found and reported by Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin. … The attacks started in 2019 and are still ongoing, according to Kaspersky.
…
Russia’s FSB intelligence and security agency also claimed after Kaspersky’s report was published that Apple provided the NSA with a backdoor. … “We have never worked with any government to insert a backdoor into any Apple product and never will,” [said] Apple.
More details? James Reddick obliges—“Apple addresses two zero-days”:
“Accusing Apple of complicity”
The two zero-days [are] CVE-2023-32434 and CVE-2023-32439. … Neither bug is known to have affected devices newer than iOS 15.7.
…
The FSB alleged the U.S. had infected thousands of iPhones with the malware, while also accusing Apple of complicity. … According to the agency, both domestic users as well as foreign numbers using SIM cards registered with diplomatic missions and embassies in Russia were targeted.
Horse’s mouth? Georgy Kucherin, Leonid Bezvershenko and Igor Kuznetsov—“Dissecting TriangleDB, a Triangulation spyware implant”:
“Sophisticated implant”
Over the years, there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus, Predator, Reign and others. … In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. It took about half a year to accomplish that goal.
…
The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. … TriangleDB [is] a sophisticated implant for iOS containing multiple oddities.
Should we believe Kaspersky? CarAnalogy is inclined to do so:
Kaspersky is constantly at the forefront of security news and research. Definitely strange right now, considering they are a Russian company, with Russia’s current international situation (I realize they are no longer headquartered in Moscow but their history and ties to Russia are undeniable).
…
The FSB immediately after Kaspersky’s announcement of this released a statement referencing it and accusing Apple of assisting the NSA with a backdoor. Kaspersky was careful to distance themselves from it as much as they could but the timing is interesting.
Ah, so, what about believing the FSB? This Anonymous Coward has a simple rule:
Personal belief: Whenever the NSA and friends accuse some other state-sponsored agency of malicious intent, I believe them.
OTOH: Whenever the FSB and friends accuse some other state-sponsored agency of malicious intent, I believe them.
Ah, yes. Yet another no-click flaw in iMessage. ikjadoon doesn’t sound surprised:
Geez. iMessage on the front-end is such a massive target. Apple claimed it’d had a lot of additional hardening after the NSO basically made iOS their home with BlastDoor. Glad anyone sensitive has Lockdown Mode, but otherwise, I’m not sure why Apple has let iMessage get so bad.
…
Hardening requires defense in depth and BlastDoor simply needs more hardening than Apple anticipated in 2019 when it first launched. … BlastDoor specifically coded a path to manage attachment decryption & further block just about all filesystem access. Most importantly, it (should have) denied all outbound network access. … Yet somehow, Triangulation broke through.
BlastDoor? Was that the fix for NSO’s Pegasus exploit? u/nicuramar clarifies timeline and terminology:
BlastDoor was added before [the fix for] Pegasus … (“FORCEDENTRY”). The main system exploited by Pegasus was outside of BlastDoor. It has since been patched and also moved inside BlastDoor.
Meanwhile, u/416nWild builds an ark:
We live in a world where everything is your business, nothing’s private, everything is expensive and we all hate each other. I hope God causes a catastrophic flood soon.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: DonkeyHotey (cc:by; leveled and cropped)