Today, the CISA issued an order directing federal agencies to patch security flaws that were used as zero-days to install Triangulation spyware on iPhones using iMessage zero-click exploits.
After Kaspersky published a report describing a Triangulation malware component used in a “Operation Triangulation” campaign it monitors, the warning was issued.
According to Kaspersky, the spyware was discovered on iPhones belonging to employees from its Moscow office and other countries. The company says that the attacks started in 2019 and are still going on. They use iMessage zero-click exploits that take advantage of the iOS zero-day bugs, which have been fixed.
The FSB, a Russian intelligence agency, also claimed that Apple and the NSA worked together to develop a backdoor that made it easier to steal iPhones in Russia. Additionally, the FSB claimed that it discovered thousands of infected iPhones belonging to Russian officials and embassy staff in Israel, China, and NATO nations.
An Apple spokesperson told BleepingComputer, “We have never worked with any government to insert a backdoor into any Apple product and will never do so.”
When describing the two Kernel and WebKit vulnerabilities (CVE-2023-32434 and CVE-2023-32435) exploited in the attacks, Apple stated on Wednesday, “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.”
This week, the company also fixed a WebKit zero-day vulnerability (CVE-2023-32439) that allowed unauthorized code execution on unpatched devices. CISA also identified this as a flaw that is being actively exploited today.
The list of affected devices is extensive, as the zero-day affects older and newer models, and it includes:
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- Macs running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE
One day after patching the zero-day vulnerabilities that were used to deploy Triangulation spyware, Apple sent out yet another round of threat notifications to customers informing them that they were the targets of state-sponsored attacks. According to CNN reporter Chris Bing, however, it is unclear to what incidents these new warnings are related.
Order for federal agencies to patch by July 14
A critical pre-authentication command injection flaw (CVE-2023-27992), which allows unauthenticated attackers to execute operating system commands on unpatched Network-Attached Storage (NAS) devices that are exposed to the Internet, was added to CISA’s list of known exploited vulnerabilities (KEV) today.
In the weeks following a massive wave of attacks in which Mirai-based botnets targeted Zyxel firewalls and VPN products, Zyxel issued a warning to customers on Tuesday to secure their NAS devices “for optimal protection.”
CISA’s KEV catalog also contained a VMware ESXi vulnerability (CVE-2023-20867). In data theft attacks, a Chinese-backed hacking group (UNC3886) exploited this vulnerability to backdoor Windows and Linux virtual machines.
According to a binding operational directive (BOD 22-01) that was made public in November 2022, U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to patch all security flaws that have been added to CISA’s KEV catalog within the allotted time frame.
Federal agencies have been instructed to secure vulnerable devices against flaws included today by June 14, 2023, following the most recent update.
While the primary focus of BOD 22-01 is on U.S. federal agencies, private businesses should also give priority to fixing vulnerabilities on the CISA’s KEV list, which includes bugs that are known to be used in attacks.
