The Russian cybersecurity company Kaspersky reveals an exploit for iPhones of which it itself fell victim. According to the researchers, this is one of the most advanced attacks ever.

In June, Kasperksy reported that spyware had been discovered on the iPhones of its own employees. Similar spyware would also appear simultaneously on the devices of Russian diplomats, which gave indications that this was a large-scale campaign. Over the past few months, Kaspersky has shared more information about the spyware and the investigation is now complete. The researchers call it the most advanced attack method they have seen to date.

A long chain

To install the spyware on the iPhone, the attackers abused as many as zero days in iOS. The vulnerabilities mainly affect older iOS versions up to version 16.2 and according to the researchers, the first traces go back years to 2019. Everything starts with sending a malicious file via iMessage, which the victim does not even have to open to start the installation process to get going.

First, the attackers use a vulnerability caused by an error in the programming of a font in iOS. This vulnerability already gives the attackers the ability to execute code, but with limited system privileges. The virus then targets the iOS kernel and exploits two vulnerabilities, one in the XNU system to secure memory and one in the MMIO registries. This also bypasses the built-in security mechanisms in the kernel.

A visual representation of the exploit. Source: Kaspersky

From this moment on, the virus has more or less free rein. But to be completely sure, a Safari vulnerability is exploited to execute shellcode. You can read a detailed description of the methodology in this blog.

Secret registers

It’s not so much the length of the attack chain that stuns Kaspersky. For the researchers, the mystery lies in one particular vulnerability, CVE-2023-38606. This used the MMIO registers to bypass kernel security, as described in the previous paragraphs. However, they used a hardware function that is not used by the iOS firmware.

In short, this was done as follows: the destination address and hash of the data were written to unknown hardware registers of the chip. Because those registers are not actively used, it is still a mystery to Kaspersky how the attackers discovered this vulnerability. The researchers suspect that the registries are used internally by Apple for debugging or testing purposes or may even have been added accidentally. In principle, only Apple and chip suppliers such as ARM could be aware of the existence of the registers.

Kaspersky is still in the dark about how the attackers discovered this. All exploited vulnerabilities have now been addressed by Apple.

Who is behind the attack?

This question also remains open after Kaspersky’s analysis. The incident quickly took on a geopolitical twist after the Russian security service accused its American counterpart of espionage. Apple was also accused of helping with the campaign, but has always categorically denied any form of involvement.

“At this time, we cannot conclusively attribute this cyber attack to a known threat actor. The unique features observed in Operation Triangulation do not match patterns of known campaigns,” said Kaspersky researcher Boris Larin in a response to Ars Technica.