Le triangle jaune qui a fait tomber l’iPhone

Sylvqin

31 Jan 202422:41

Summary

TLDRResearchers at Kaspersky discovered a highly sophisticated iPhone malware that can exploit four zero-day vulnerabilities, allowing hackers to gain unauthorized access to personal data, microphone, location, and messages without detection. The malware, potentially state-sponsored, remained undetected until Kaspersky's own systems were compromised. The exploit suggests a possible collaboration between hackers and insiders, as it targets specific, undocumented memory addresses. Apple has since patched the vulnerabilities, but the attacker's identity and the extent of the breach remain unknown.

Takeaways

😨 Kaspersky researchers discovered a highly sophisticated malware that can infect iPhones without the user's knowledge, potentially siphoning off data like contacts, passwords, and messages.
🔍 The malware was found to be exploiting a zero-click vulnerability, which means it can infect a device without any user interaction.
📲 The infection could be triggered simply by having the phone number of the target, highlighting the risk of targeted attacks through SMS or iMessage.
💡 Researchers suspect that the attackers used a crafted file, possibly a .watchface or a PDF, to deliver the initial payload, which then exploited multiple zero-day vulnerabilities.
🛠️ The malware was designed to be stealthy, with functionalities to delete traces of its operation and even detect if the device was being monitored or had antivirus software.
🔐 It leveraged advanced techniques such as 'canvas fingerprinting' to identify the specific device it was infecting and to ensure it was not being analyzed by security researchers.
🤖 Machine learning capabilities of Apple's chips were exploited to automatically tag and filter photos, making the exfiltration of data more efficient.
💸 The sophistication and scale of the attack suggest that it could be the work of a state-sponsored group, with the malware potentially being worth millions of dollars.
🤐 The identity of the attackers and the exact targets remain unknown, with no clear attribution, although Russia's cybersecurity agency has pointed fingers at the U.S.'s NSA.
🛡️ Apple has patched the vulnerabilities exposed by the malware, and Kaspersky has released a tool to help users check if their iPhones have been infected.

Q & A

What was the nature of the threat discovered by Kaspersky researchers?
-Kaspersky researchers discovered a highly sophisticated form of malware that could potentially infect iPhones without the user's knowledge, compromising data such as microphone recordings, location data, contacts, passwords, and messages.
How did the malware infect the devices?
-The malware infected devices through a crafted attachment sent via iMessage, which exploited a zero-click vulnerability, meaning no user interaction was required for the infection to occur.
What was the role of the 'great team' at Kaspersky in this discovery?
-The 'great team' at Kaspersky, specialized in advanced persistent threats (APTs), was responsible for understanding how dangerous hacking groups operate and how their viruses function. They were the ones who detected the suspicious activity on their own network and investigated the malware.
What was the significance of the 'watchface' file in the malware's operation?
-The 'watchface' file was a potential candidate for the attachment that was used to initially infect the devices. It was mentioned in the context of being deleted, suggesting it played a role in delivering the malware.
How did the researchers at Kaspersky analyze the infected iPhones?
-The researchers used a combination of forensic tools, iTunes backups, and network analysis to examine the iPhones. They isolated the devices in faraday cages to block all communications and then looked for anomalies in data usage and network traffic.
What was the purpose of the yellow triangle displayed by the script on the infected devices?
-The yellow triangle was used for canvas fingerprinting, a technique to collect information about the device's graphics processor, screen resolution, browser version, and potentially the operating system, by analyzing how the browser renders the triangle.
What were the four zero-day vulnerabilities exploited by the malware?
-The four zero-day vulnerabilities were not explicitly named in the script, but they were used to gain unauthorized access to the iPhones, escalate privileges, and execute malicious code.
How did the attackers ensure they remained undetected after infection?
-The attackers used various techniques to remain undetected, including cleaning up after themselves by deleting traces of their activities, using obfuscation to hide the malware's code, and deploying validators to check if the device was being monitored or if it was a valid target.
What was the ultimate goal of the attackers once they had full access to the infected iPhone?
-The ultimate goal was to exfiltrate sensitive data from the device, which could include real-time location tracking, file access, microphone recordings, passwords, and photos. They also used machine learning capabilities of the device to sort and filter the data more efficiently.
What was the response from Apple regarding the vulnerabilities exploited in this attack?
-Apple patched all the vulnerabilities after being informed by Kaspersky about the attack. They also provided no comment on the specifics of the attack but stated that they never collaborate with any government to insert backdoors in their products.