Operation Triangulation: The Stealthy iOS Attack Kaspersky Couldn’t Ignore

Estimated read time 3 min read

A Chilling Discovery: Kaspersky’s Internal Alert

In a startling revelation, cybersecurity giant Kaspersky reported an internal alert in early 2023. Their Security Information and Event Management system, known as KUMA1, detected unprecedented network activities targeting iPhones and iPads of their own employees.

This internal alert marked the initiation of a comprehensive digital forensics and incident response (DFIR) procedure, which Kaspersky termed as “Operation Triangulation.2

The Initial Findings: How the Attack Unfolded

Kaspersky’s Moscow HQ was the initial focus of this cyber assault. The affected iPhones and iPads were connected to the company’s corporate Wi-Fi network.

This allowed the security experts to scrutinize the network traffic meticulously, revealing an intricate series of events:

  • Devices initially connected to Apple’s iMessage servers.
  • A subsequent, brief data exchange with a shadowy server, backuprabbit[.]com.
  • Multiple connections with several other suspicious servers, including cloudsponcer[.]com and unlimitedteacup[.]com.
Operation Triangulation
Operation Triangulation

Thwarted by Encryption: The HTTPS Dilemma

Even though the security experts were able to identify the servers involved, the data exchange was encrypted using HTTPS.

This encryption acted as a formidable barrier, stymieing attempts to understand the nature of the data being exchanged3.

The Forensic Challenge: A Dead End with Modern iOS

Kaspersky’s next course of action involved a physical examination of the affected devices. Unfortunately, existing forensic tools proved useless against modern versions of iOS.

This led Kaspersky to explore iTunes backups as an alternative. Using the Mobile Verification Toolkit4, they were able to construct a timeline of events, albeit without making significant headway into the nature of the malware involved.

Operation Triangulation
Operation Triangulation

Decrypting the Indecipherable: Advanced Mitigation Techniques

Kaspersky deployed advanced tactics to decrypt the secure communications. They utilized a Linux server equipped with mitmproxy, an HTTPS interception tool, and a Wireguard VPN client to snoop on the encrypted traffic. Despite these efforts, iMessage traffic remained stubbornly encrypted due to Apple’s SSL pinning.

Unveiling the JavaScript Validator: The First Glimpse of Malware

The efforts did bear fruit when they intercepted and decrypted C2 server traffic, revealing a JavaScript validator. This validator was not the main exploit but a part of a larger, more complex malware operation targeting iOS devices.

JavaScript validator, screenshot by Kaspersky
JavaScript validator, screenshot by Kaspersky

The Intricacies of Public-Key Cryptography: An Obstacle and a Tool

One of the most challenging aspects of this investigation was the extensive use of public-key cryptography by the attackers. Kaspersky had to employ creative mitigation strategies, including on-the-fly patching of malicious stages using a mitmproxy add-on, to circumvent this encryption.

The Final Verdict: A Complex, Multi-Staged Attack

Operation Triangulation turned out to be a complex, multi-staged attack involving four zero-day exploits, two validators, an implant, and its auxiliary modules.

Kaspersky’s intense scrutiny led to the discovery of novel techniques and vulnerabilities, contributing significantly to the existing corpus of cybersecurity knowledge.

Takeaways for the Cybersecurity Community

Kaspersky’s meticulous investigation serves as a stark reminder of the evolving complexity of cybersecurity threats, especially those targeting ubiquitous devices like iPhones and iPads.

The attack also showcases the increasing sophistication of threat actors who are now employing advanced encryption techniques to evade detection.

For those in the cybersecurity field, especially organizations with a high-security profile, it’s a clarion call for heightened vigilance and the continual updating of both skills and tools to fend off ever-evolving threats.

  1. https://support.kaspersky.com/help/KUMA/1.5/en-US/217694.htm ↩︎
  2. https://securelist.com/operation-triangulation-catching-wild-triangle/110916/ ↩︎
  3. https://twitter.com/billmarczak/status/1717687044313665846 ↩︎
  4. https://docs.mvt.re/en/latest/ ↩︎
Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours