It consists of three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two vulnerabilities in VMware (CVE-2023-20867 and CVE-2023-20887), and one flaw affecting Zyxel devices (CVE-2023-27992).
CVE-2023-32434 and CVE-2023-32435, both of which enable code execution, are said to have been exploited as zero-days to spread spyware as part of a years-long cyber-espionage campaign that began in 2019.
Dubbed Operations Triangulation, this activity culminates in a TriangleDB implementation designed to collect various information from compromised devices, such as creating, modifying, deleting, and stealing files, registering and terminating processes, gathering credentials from iCloud Keychain, and tracking user locations.
The attack chain begins with the targeted victim receiving an iMessage with an attachment that automatically triggers payload execution without requiring any interaction, rendering it a clickless exploit.
“The malicious message is false and does not trigger any warnings or notifications for (the user),” Kaspersky noted in the initial report.
CVE-2023-32434 and CVE-2023-32435 are two of the many vulnerabilities in iOS that have been abused in espionage attacks. One of which is CVE-2022-46690a high-severity write-out-of-bounds issue in IOMobileFrameBuffer that rogue applications can weaponize to execute arbitrary code with kernel privileges.
These weaknesses were addressed by Apple with improved input validation in December 2022.
Kaspersky marked TriangleDB as containing unused features referring to macOS as well as permissions seeking access to the device’s microphone, camera, and address book which it says it could take advantage of in the future.
The Russian cybersecurity firm’s investigation into Operation Triangulation began earlier this year when it detected an intrusion on its own corporate network.
In light of active exploits, Federal Civilian Executive Branch (FCEB) agencies are advised to apply vendor-provided patches to secure their networks against potential threats.
Developments come as CISA published warning alert of three bugs in the Berkeley Internet Name Domain (TIE) 9 Domain Name System (DNS) software suites that can pave the way for denial-of-service (DoS) conditions.
Weakness – CVE-2023-2828, CVE-2023-2829And CVE-2023-2911 (CVSS score: 7.5) – can be remotely exploited, resulting in unexpected termination of the enumerated BIND9 service or exhausting all available memory on the host running the name, leading to a DoS.
This is the second time in less than six months the Internet Systems Consortium (ISC) has released a patch to address a similar issue in BIND9 that could lead to DoS and system failures.