A Chilling Discovery: Kaspersky’s Internal Alert
In a startling revelation, cybersecurity giant Kaspersky reported an internal alert in early 2023. Their Security Information and Event Management system, known as KUMA1, detected unprecedented network activities targeting iPhones and iPads of their own employees.
This internal alert marked the initiation of a comprehensive digital forensics and incident response (DFIR) procedure, which Kaspersky termed as “Operation Triangulation.2“
The Initial Findings: How the Attack Unfolded
Kaspersky’s Moscow HQ was the initial focus of this cyber assault. The affected iPhones and iPads were connected to the company’s corporate Wi-Fi network.
This allowed the security experts to scrutinize the network traffic meticulously, revealing an intricate series of events:
- Devices initially connected to Apple’s iMessage servers.
- A subsequent, brief data exchange with a shadowy server, backuprabbit[.]com.
- Multiple connections with several other suspicious servers, including cloudsponcer[.]com and unlimitedteacup[.]com.
Thwarted by Encryption: The HTTPS Dilemma
Even though the security experts were able to identify the servers involved, the data exchange was encrypted using HTTPS.
This encryption acted as a formidable barrier, stymieing attempts to understand the nature of the data being exchanged3.
The Forensic Challenge: A Dead End with Modern iOS
Kaspersky’s next course of action involved a physical examination of the affected devices. Unfortunately, existing forensic tools proved useless against modern versions of iOS.
This led Kaspersky to explore iTunes backups as an alternative. Using the Mobile Verification Toolkit4, they were able to construct a timeline of events, albeit without making significant headway into the nature of the malware involved.
Decrypting the Indecipherable: Advanced Mitigation Techniques
Kaspersky deployed advanced tactics to decrypt the secure communications. They utilized a Linux server equipped with mitmproxy, an HTTPS interception tool, and a Wireguard VPN client to snoop on the encrypted traffic. Despite these efforts, iMessage traffic remained stubbornly encrypted due to Apple’s SSL pinning.
The Intricacies of Public-Key Cryptography: An Obstacle and a Tool
One of the most challenging aspects of this investigation was the extensive use of public-key cryptography by the attackers. Kaspersky had to employ creative mitigation strategies, including on-the-fly patching of malicious stages using a mitmproxy add-on, to circumvent this encryption.
The Final Verdict: A Complex, Multi-Staged Attack
Operation Triangulation turned out to be a complex, multi-staged attack involving four zero-day exploits, two validators, an implant, and its auxiliary modules.
Kaspersky’s intense scrutiny led to the discovery of novel techniques and vulnerabilities, contributing significantly to the existing corpus of cybersecurity knowledge.
Takeaways for the Cybersecurity Community
Kaspersky’s meticulous investigation serves as a stark reminder of the evolving complexity of cybersecurity threats, especially those targeting ubiquitous devices like iPhones and iPads.
The attack also showcases the increasing sophistication of threat actors who are now employing advanced encryption techniques to evade detection.
For those in the cybersecurity field, especially organizations with a high-security profile, it’s a clarion call for heightened vigilance and the continual updating of both skills and tools to fend off ever-evolving threats.