CISA Directs Agencies to Address iPhone Vulnerabilities Exploited in Spyware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has taken action today, ordering federal agencies to promptly address recently discovered security vulnerabilities. These vulnerabilities were exploited as zero-day vulnerabilities to deploy Triangulation spyware on iPhones through iMessage zero-click exploits.

This warning follows a report by Kaspersky, which unveiled a Triangulation malware component used in a campaign dubbed “Operation Triangulation.” Kaspersky’s investigation revealed the presence of the spyware on iPhones owned by its Moscow office employees, as well as individuals from other countries. The attacks, which began in 2019, are ongoing and rely on exploiting the now-patched iOS zero-day bugs via iMessage zero-click exploits.

Additionally, Russia’s FSB intelligence agency claimed that Apple collaborated with the NSA to create a backdoor, facilitating the infiltration of iPhones in Russia. The FSB alleged the discovery of thousands of infected iPhones owned by Russian government officials and embassy staff in Israel, China, and NATO member nations.

Apple, in response, denied any collaboration with governments to insert backdoors into its products, stating that it never has and never will engage in such activities.

Regarding the specific vulnerabilities, Apple acknowledged the existence of two Kernel and WebKit vulnerabilities (CVE-2023-32434 and CVE-2023-32435) exploited in the attacks, noting that they may have been actively exploited against iOS versions released prior to iOS 15.7. Additionally, Apple recently addressed a WebKit zero-day (CVE-2023-32439) that could allow attackers to execute arbitrary code on unpatched devices. CISA has also identified this vulnerability as actively exploited.

The range of affected devices is extensive, encompassing both older and newer models, including iPhones, iPads, Macs, and Apple Watches.

In response to the threats, Apple has issued threat notifications to customers targeted in state-sponsored attacks, shortly after patching the zero-days used to deploy the Triangulation spyware. The exact incidents related to these new warnings remain unclear.

Apart from the iPhone vulnerabilities, CISA has added other critical vulnerabilities to its known exploited vulnerabilities (KEV) list. This includes a pre-authentication command injection bug (CVE-2023-27992) affecting unpatched Network-Attached Storage (NAS) devices. Zyxel, a manufacturer of NAS devices, has already advised customers to enhance the security of their systems following recent Mirai-based botnet attacks on Zyxel firewalls and VPN products.

CISA’s KEV catalog also features a VMware ESXi vulnerability (CVE-2023-20867) exploited by a Chinese-backed hacking group (UNC3886) to backdoor Windows and Linux virtual machines in data theft attacks.

Federal agencies within the U.S. Federal Civilian Executive Branch (FCEB) have been instructed to address all security vulnerabilities listed in CISA’s KEV catalog. While this directive primarily applies to federal agencies, private companies are strongly advised to prioritize addressing the vulnerabilities outlined in CISA’s KEV list, as they are known to be exploited in attacks.