The Centre for Cyber Security Belgium (CERT.be) has issued an advisory warning of an actively exploited zero-day vulnerability (CVE-2023-38606) affecting all Apple products. This vulnerability, which allows for the modification of sensitive kernel state, impacts Apple’s entire product spectrum, including Safari, iOS, iPadOS, macOS, tvOS, and watchOS. The vulnerability is being exploited to deploy the TriangleDB spyware, used by an unknown Advanced Persistent Threat (APT) actor in a sophisticated mobile cyber espionage campaign known as Operation Triangulation. CERT.be recommends users to proactively install the new OS versions to mitigate the risk. Apple Advisory
The TriangleDB spyware implant, uncovered by Kaspersky, targets iOS devices via a malicious iMessage attachment. It is deployed after the attackers gain root privileges by exploiting a kernel vulnerability. Once installed, TriangleDB resides in the device’s memory, making it difficult to detect. The implant communicates with a command-and-control (C2) server using the Protobuf library, with messages encrypted using symmetric and asymmetric cryptography. The C2 server sends commands to the implant, which are executed to perform various tasks, including interacting with the device’s file system, monitoring processes, retrieving keychain items, geolocation tracking, and running additional modules.
The TriangleDB implant is part of a broader campaign known as Operation Triangulation. The threat actor behind this campaign is currently unknown, but the sophistication of the attack suggests a well-resourced and capable adversary. The implant is coded using Objective-C and is designed to be difficult to detect, residing in the device’s memory and uninstalling itself after 30 days unless this period is extended by the attackers.
Indicators of Compromise (IOCs):
Indicators of Compromise (IOCs) are pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network. In the case of the TriangleDB spyware, the IOCs are the unique hashes of the malicious software. These hashes can be used by security tools to detect the presence of the spyware on a system. The IOCs for the TriangleDB spyware are:
- MD5 Hash: 063db86f015fe99fdd821b251f14446d
- SHA-1 Hash: 1a321b77be6a523ddde4661a5725043aba0f037f
- SHA-256 Hash: fd9e97cfb55f9cfb5d3e1388f712edd952d902f23a583826ebe55e9e322f730f
MITRE ATT&CK TTPs:
The TriangleDB spyware exhibits several TTPs (Tactics, Techniques, and Procedures) as defined by the MITRE ATT&CK framework. These include:
- Exploitation for Privilege Escalation (T1068): The spyware exploits a kernel vulnerability to gain root privileges on the target device.
- Command and Control (T1105): The spyware communicates with a C2 server using the Protobuf library.
- Data from Local System (T1005): The spyware interacts with the device’s file system and retrieves keychain items.
- Process Discovery (T1057): The spyware monitors processes on the device.
Users are advised to update their Apple devices to the latest OS versions to mitigate the risk associated with this vulnerability. Organizations should monitor for the IOCs associated with the TriangleDB spyware and consider implementing controls based on the MITRE ATT&CK TTPs associated with this threat.