Russian cybersecurity company Kaspersky reveals an exploit for iPhones that it itself fell victim to. According to the researchers, this is one of the most advanced attacks ever.

In June, Kasperksy reported that spyware had been discovered on its employees’ iPhones. Similar spyware also appeared on the devices of Russian diplomats at the same time, suggesting that this was a large-scale campaign. Over the past few months, Kaspersky has shared more information about the spyware and the investigation is now complete. The researchers call it the most advanced attack method they have seen to date.

A long chain

To install the spyware on the iPhone, the attackers used up to zero days on iOS. The vulnerabilities mainly affect older iOS versions up to version 16.2 and, according to the researchers, the first traces go back to 2019. It all starts with sending a malicious file via iMessage, which the victim doesn’t even need to open to start the installation process.

First, the attackers exploited a vulnerability caused by an error in the programming of a font in iOS. This vulnerability already gives attackers the ability to execute code, but with limited system privileges. The virus then targets the iOS kernel and exploits two vulnerabilities, one in the XNU memory backup system and one in the MMIO registers. This also bypasses the built-in security mechanisms in the kernel.

From this moment on, the virus has more or less free reign. But just to be on the safe side, a vulnerability in Safari is exploited to execute shellcode. You can read a detailed description of the methodology in this blog.

Secret registers

It’s not so much the length of the attack chain that baffles Kaspersky. For researchers, the mystery lies in a specific vulnerability, CVE-2023-38606. This used the MMIO registers to bypass kernel security, as described in the previous paragraphs. However, they used a hardware feature that is not used by the iOS firmware.

In short, this happened as follows: the destination address and hash of the data were written into unknown hardware registers on the chip. Since these registries are not actively used, it is still a mystery to Kaspersky how the attackers discovered this vulnerability. The researchers suspect that the registers are used internally by Apple for debugging or testing purposes, or may even have been added accidentally. In principle, only Apple and chip suppliers such as ARM could be aware of the existence of the registers.

Kaspersky is still in the dark about how the attackers found out. All exploited vulnerabilities have now been fixed by Apple.

Who is behind the attack?

According to Kaspersky’s analysis, this question also remains open. The incident quickly took a geopolitical turn after Russian intelligence accused its American counterpart of espionage. Apple has also been accused of helping with the campaign, but has always categorically denied any involvement.

“At this time, we cannot clearly attribute this cyberattack to a known threat actor. The unique features observed in Operation Triangulation do not match patterns of known campaigns,” Kaspersky researcher Boris Larin said in a response to Ars Technica.