Apple issues third mobile OS update after zero-click spyware campaign

Apple on Monday issued its third security update in roughly a month to remedy vulnerabilities exploited in Operation Triangulation, a spyware campaign that researchers say specifically targeted iMessage users in Russia.

The Russian arm of cybersecurity firm Kaspersky on June 1 revealed the details of a zero-click iOS exploit. The company’s researchers said they discovered it while monitoring the company’s own corporate Wi-Fi network dedicated to mobile devices. The findings were released the same day Russia’s Federal Security Service, or FSB, said it had uncovered an American espionage operation targeting Apple devices in Russia in cooperation with Apple.

Apple told CyberScoop at the time that had “never worked with any government to insert a backdoor into any Apple product and never will.”

Kaspersky has not attributed the campaign.

Monday’s security patch addressed a vulnerability tracked as CVE-2023-38606 and had been actively exploited against versions of Apple’s mobile operating system before version 15.7.1, the company said in the notice, an iteration of the operating system that was replaced with the release of iOS 16 in September 2022.

“Apple has addressed one more kernel vulnerability discovered by Kaspersky researchers during the investigation of the Operation Triangulation attack,” the company said in an emailed statement Tuesday. “This zero-day vulnerability CVE-2023-38606 was part of the discovered zero-click exploit chain. It affected a wide range of Apple products – iPhones, iPods, iPads, macOS devices, Apple TV and Apple Watch. Patching is available as part of the Apple Security Updates release as of July 24, 2023, and we highly recommend users to update their devices.”

Previous patches associated with Operation Triangulation address vulnerabilities tracked as CVE-2023-32434 and CVE-2023-32435. The patch was one of eight security updates issued Monday.

Phil Stokes, a threat researcher with SentinelLabs, said in an email that Apple’s update concerns a bug that affects both macOS and iOS “but has only been reported as exploited in the wild against iOS devices to date.” His team is not aware of any of the malware or exploits being used aside from public reporting he said, but Apple users should update their operating systems as part of a wider security strategy.

“In the larger context, the number and timing of these updates suggest that investigation into Operation Triangulation is still ongoing and we are likely to see more details unfold in the near future,” Stokes added. “It is certainly unusual to see Apple roll out repeated patches in such a short space of time to address vulnerabilities related to one particular threat campaign.”

Updated July 25, 2023: This story has been updated to include comment from Kaspersky and Phil Stokes.