537
top 50 comments
sorted by: hot top controversial new old
[-] lemann@lemmy.dbzer0.com 158 points 11 months ago

Wow, this is a very complex exploit, involving bits of iMessage and an undocumented CPU feature that allowed the attacker to evade hardware memory protection. From what I can see, Lockdown mode would have prevented this. The attacker is ridiculously skilled regardless

Exerpts from the article missing from the bot summary:

The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action.

With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn’t survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.

The most intriguing new detail is the targeting of the [...] hardware feature [...]. A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel.

[-] AnneBonny@lemmy.dbzer0.com 133 points 11 months ago

someone was made fun of one too many times about having green bubbles in imessage

[-] doppelgangmember@lemmy.world 54 points 11 months ago

The true villain origin story

[-] gregorum@lemm.ee 5 points 11 months ago

i'm a bit of a texter myself, you know...

load more comments (1 replies)
[-] GlitzyArmrest@lemmy.world 35 points 11 months ago

Seems like the definition of advanced persistent threat.

[-] psud@lemmy.world 30 points 11 months ago

It isn't persistent over a reboot, but the tested devices received new corrupted iMessages immediately after reboot

[-] GlitzyArmrest@lemmy.world 27 points 11 months ago* (last edited 11 months ago)

Persistent in APT isn't referring to the malware itself, but rather the threat actor. I meant that this seems like a textbook APT actor.

[-] elias_griffin@lemmy.world 2 points 11 months ago

You know what else was also super sophisticated, chained, and confident enough in it's APT to not be persistent across reboots? DOUBLEPULSAR.

[-] corsicanguppy@lemmy.ca 4 points 11 months ago

it’s

You sure?

[-] MaxVoltage@lemmy.world 10 points 11 months ago

Reminded me restart all my devices

[-] seang96@spgrn.com 30 points 11 months ago

With that many exploits being used I wouldn't be surprised to see it is a group probably government sponsored. They love iMessage exploits as original attack vectors too.

[-] psud@lemmy.world 12 points 11 months ago

Russian authorities say it was the Americans trying to spy on other NATO nations, Israel, and Ukraine. America spying on Russia's enemies.

[-] sukhmel@programming.dev 2 points 11 months ago* (last edited 11 months ago)

Well, I may be under the wrong impression but it occurred to me that the US govt likes to spy on everyone, friends and foes and the US citizens, too

Edit: punctuation

[-] Tautvydaxx@lemmy.world 6 points 11 months ago

Documentary about the pheonix software explains a lot about who used this kind of virus, mainly political figures and govermants to spy on other politicans and jornalists. The imessage exploit was known for a few years but nobody knew how the file installed itself on the device, so there was no way to figure out how to protect the device.

Which documentary?

[-] sirdorius@programming.dev 37 points 11 months ago

The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities

exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia

the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers

Sounds like government espionage

puts tinfoil hat on

[-] adrian783@lemmy.world 2 points 11 months ago

4 zero days means they bought it on black market at least.

[-] elias_griffin@lemmy.world 37 points 11 months ago

I recently invented a "People First" Cybersecurity Vulnerability Scoring method and I called it CITE, Civilian Internet Threat Evaluation with many benefits over CVSS. In it, I prioritize "exploit chains" as the primary threat going forward. Low and behold, this new exploit, although iOS, possibly one of the most sophisticated attacks ever using one of the longest exploit chains ever! Proof positive!

Depending on how you define it; I define the Kaspersky diagram has 8 steps. In my system, I define steps that advance the exploit discretely as stages, so I would evaluated Triangulation to be a 4 stage exploit chain. I should tally this attack to see how it scores and make a CITE-REP(ort).

You can read about it if interested. An intersting modeling problem for me was does stages always equate to complexity? Number of exploits in the chain make it easier or harder to intrusion detect given that it was designed as a chain, maybe to prevent just that? How are stages, complexity, chains and remediation evaluted inversely?

https://www.quadhelion.engineering/articles.html

[-] corsicanguppy@lemmy.ca 39 points 11 months ago
[-] kboy101222@sh.itjust.works 23 points 11 months ago* (last edited 11 months ago)

That's Standards, isn't it?

Edit: yup

[-] shea 10 points 11 months ago* (last edited 11 months ago)

is this how people who quote Bible verses feel? i can just surmise the meaning by the number and the context because I'm so familiar with the source

[-] SnipingNinja@slrpnk.net 4 points 11 months ago

I just surmise by the context and end up usually correct so the numbers haven't quite clicked in yet

load more comments (1 replies)
[-] crsu@lemmy.world 6 points 11 months ago

no garfield 3:16

[-] SpacePirate@lemmy.ml 15 points 11 months ago* (last edited 11 months ago)

Glancing through your article, while you have correctly assessed the need for risk based prioritization of vulnerability remediation and mitigation, your central premise is flawed.

Vulnerability is not threat— CVSS is a scoring system for individual vulnerabilities, not exploit chains. For that, you’ll want to compare with ATT&CK or the legacy cyber kill chain.

[-] elias_griffin@lemmy.world 5 points 11 months ago* (last edited 11 months ago)

Help me understand your glancing criticisms that I'm taking with a grain of salt.

  1. You didn't mention the central premise that is flawed, what do you think it is?
  2. I'm not confused about vulnerability and threat, what specifically did read to you give you that impression?

You mention that CVSS, which I hold Certification in, is for scoring single threats which I said so many times that is why I made such a system, to depart from CVSS singular, that is inadequate in being singular and common. Glance again?

Compare what with attack? Also, if you mean Lockheed Martin Cyber Kill Chain, that has nothing to do with scoring, that is the methology OF the attack and defense of it, not the attack itself, is a defensive strategy includng reconaissance and nothing to do with scoring.

[-] SpacePirate@lemmy.ml 15 points 11 months ago* (last edited 11 months ago)
  1. From the title of your article and your executive summary, the premise of your paper is that CVSS is flawed, and CITE is your solution.
  2. From the title of your article, and choice of name, “QHE CVSS Alternative; CITE”. CVSS is a VULNERABILITY Scoring System. CITE, as your propose, is a THREAT evaluation tool. You can see how one could have the impression that they were incorrectly being used interchangeably.

As you yourself stated, CVSS does exactly what it says on the box. It provides a singular rating for a software vulnerability, in a vacuum. It does not prescribe to do anything more, and it does a good job doing what it sets out to do (including specifically as an input to other quantitative risk calculations).

Compare what with attack?

Your methodology heavily relies on “the analysis of cybersecurity experts”, and in particular, frequently references “exploit chains”, mappings which are not clearly defined, and appears to rely on the knowledge of the individual practitioner, rather than existing open frameworks. MITRE ATT&CK and CAPEC already provide such a mapping, as well as a list of threat actor groups leveraging tactics, techniques, and procedures (e.g., exploitation of a given CVE). Here’s a good articlewhich maps similarly to how we operate our cybersecurity program.

I think there is a lot on the mark in your article about the issues with cybersecurity today, but again, I believe that your premise that CVSS needs replacing is flawed, and I don’t think you provided a compelling case to demonstrate how/why it is flawed. If anything, I think you would agree that if organizations are exclusively using CVSS scores to prioritize remediation, they’re doing it wrong, and fighting an impossible battle. But this means the organization’s approach is wrong, not CVSS itself.

Your article stands better alone as a proposal for a methodology for quantifying risk and threat to an organization (or society?), rather than as a takedown of CVSS.

[-] elias_griffin@lemmy.world 9 points 11 months ago* (last edited 11 months ago)

Ah, much better. MITRE CWSS + CWARF is comprehensive, yet insular and as is MITRE, Military/NATSEC Focused. I do not see any flaws in my reasoning, but words as communication. I do concede that maybe my saying an alternative to CVSS is not really the best wording as I see such things in very broad terms, but I get the perspective now. As in, the common singular, Gov/Corp system does not fit, I need an alternative model that does. In contrast to I need another exactly scoped system that does it differently alternative.

To evidence this I can point to that fact that I even advocated that CVSS-BTE v4.0 should be NVD baseline, but I didn't make this very clear that I'm expanding the CVSS as an alternative use, different in applicability, essential in nature, and somewhat built upon CVSS and OWASP with a different, very important objective.

Not replacment which I never intended.. I'll change the article to reflect those views, well done.

[-] return2ozma@lemmy.world 4 points 11 months ago

Thanks for sharing! I'm amazed at how sophisticated this was.

[-] LainOfTheWired@lemy.lol 36 points 11 months ago

It's not purely talent that allows them to make this kind of stuff. Otherwise people outside of these agencies would be making this stuff too. It's also the fact the CIA or any of the others can go to apple for example and get all of the information on how these chips are made and the firmware on them, then put the company under a gag order.

It is silly to assume the governments hackers are any better then a good hacker that doesn't work for them. And you need to realise that their advantages come from legal power, resources, and lesser regulations on research.

Because a lot of silly conspiracy theories seem to stem from people believing that the government are somehow superior beings, when the only thing that makes them different from anyone else is power.

[-] PM_Your_Nudes_Please@lemmy.world 14 points 11 months ago* (last edited 11 months ago)

Yup. The government has historically had issues keeping good hackers on their payroll. Because the good ones can make way more money in the private sector, so what incentive do they have to actually stick around?

There’s also the issue that the federal government has been required to drug test due to regulations requiring all federal employees to be tested. And good luck finding a good hacker who would be willing to take a drug test.

The only real edge the government hackers have is that they can force companies to give them insider access.

[-] agitatedpotato@lemmy.world 7 points 11 months ago

If you hire the hackers that tried to hack you instead of sending them to prison, you can fix the talent retention problem, but I think they already figured that out. Wonder if the kid who hacked GTA is being looked at in that way or if they don't want to deal with his mannerisms.

load more comments (4 replies)
[-] autotldr@lemmings.world 28 points 11 months ago

This is the best summary I could come up with:


Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky.

Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

“The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email.

“Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases.

A fresh infusion of details disclosed Wednesday said that “Triangulation”—the name Kaspersky gave to both the malware and the campaign that installed it—exploited four critical zero-day vulnerabilities, meaning serious programming flaws that were known to the attackers before they were known to Apple.

The researchers found that several of MMIO addresses the attackers used to bypass the memory protections weren’t identified in any device tree documentation, which acts as a reference for engineers creating hardware or software for iPhones.


The original article contains 653 words, the summary contains 200 words. Saved 69%. I'm a bot and I'm open source!

[-] JustUseMint@lemmy.world 17 points 11 months ago* (last edited 11 months ago)

There are few groups I think they could pull off such a stunt and would even want to. Nation state actors from the US such as CIA/NSA, or China, like the Ministry of Industry and Information Technology. They have a many other gov sectors with very talented APT groups. I'd bring up that NK nation state actors are also very talented, but they've been recently aligned with Russia. Perhaps their loyalty to the CCP is stronger than their current Russian ties.

[-] elias_griffin@lemmy.world 5 points 11 months ago

Skill is certainly one evaluation parameter and Fin7, JokerStash, Carbanak fit that bill but that is not their MO. Target, motive, opportunity -> Embassy Employees/Diplomats -> Nation-State or Intergovernmental Group (like 5/9/14 eyes) as eval combined with skill rating, @95% confidence.

load more comments (1 replies)
[-] Treczoks@lemmy.world 8 points 11 months ago

I wonder how many of those exploits were long known by the three-letter agencies, and were hoarded instead of getting fixed.

[-] Classy@sh.itjust.works 8 points 11 months ago

Can't wait to listen to the Darknet Diaries interview about this in a few years.

[-] tsonfeir@lemm.ee 2 points 11 months ago

It’s important to reboot your devices frequently

[-] vext01@lemmy.sdf.org 2 points 11 months ago

Does ios have any ROP mitigations?

[-] LodeMike@lemmy.today 2 points 11 months ago

Can the US government pass a law to force Apple specifically to rip out the messages app and replace it with something that apparently doesn’t have infinite exploits??

[-] Tautvydaxx@lemmy.world 17 points 11 months ago

There is no such thing as a device or software without exploit, even a carrier pigeon can be cought and the messege read.

[-] ExLisper@linux.community 9 points 11 months ago

What if the pigeon has a gun?

[-] thorbot@lemmy.world 5 points 11 months ago

That’s it boys. We’ve found the answer. Pack it up

[-] woodenskewer@lemmy.world 3 points 11 months ago

iGun patch incoming

[-] solrize@lemmy.world 3 points 11 months ago

You are thinking of exploding penguins.

[-] Tja@programming.dev 7 points 11 months ago

Not if you wirte the message using invisible ink.

load more comments (1 replies)
[-] EngineerGaming@feddit.nl 3 points 11 months ago

I wouldn't trust a service whose source code is not accessible though.

[-] Zink@programming.dev 2 points 11 months ago

We may not have carrier pigeon DNA readily available, but it is certainly accessible!

[-] Cocodapuf@lemmy.world 5 points 11 months ago

How would that help them? Even if that were an effective measure (which it isn't), it was almost certainly a us spy agenciy that did this.

[-] crsu@lemmy.world 2 points 11 months ago

Not necessarily, five eyes share intelligence responsibilities

load more comments
view more: next ›
this post was submitted on 27 Dec 2023
537 points (100.0% liked)

Technology

59598 readers
3121 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS