Cyber security: six new vulnerabilities in the US Agency catalog

The US Information Security and Infrastructure Security Agency (CISA) recently updated its catalog of Known and Exploited Vulnerabilities (KEV), including six new flaws. The decision was made based on evidence of active exploitation of the vulnerabilities.

Three Apple vulnerabilities, two in VMware and a flaw in Zyxel devices

Among the new additions, there are three vulnerabilities Apple fixed during the week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two in VMware (CVE-2023-20867 and CVE-2023 -20887), and a bug affecting Zyxel devices (CVE-2023-27992). In particular, the CVE-2023-32434 and CVE-2023-32435 vulnerabilities, which allow code execution, were exploited as zero-days in the framework of a cyber espionage campaign that began in 2019.

How the Triangulation operation works and zero-click attacks

Operation Triangulation, as espionage has been renamed, involves the use of the TriangleDB malware, designed to collect a wide range of information from compromised devices, such as the creation, modification, removal and theft of files process listing and termination, obtaining iCloud Keychain credentials, and tracking user location. The attack mechanism begins with sending an iMessage with a malicious payload attached that activates automatically without the need for user interaction, making it a zero-click attack. As Kaspersky's initial report pointed out, the malicious message is abnormally formed and does not generate alarms or notifications for the user.

Kaspersky's investigation and recommendations to the American Federal Agencies

The CVE-2023-32434 and CVE-2023-32435 vulnerabilities are just two of many in iOS that were exploited in the spy attack. Another of these is CVE-2022-46690, a high-severity vulnerability that, if exploited by a malicious app, allows the execution of arbitrary code with kernel privileges. Apple corrected this issue by improving input validation in December 2022. Kaspersky also reported that TriangleDB contains unused features referencing macOS and access requests to the device's microphone, camera and address book, which could be exploited in the future. Kaspersky's investigation into Operation Triangulation began earlier this year when it discovered the compromise in its corporate network. In response to these exploitative activities, Federal Civil Executive Branch (FCEB) agencies are being urged to apply vendor-provided patches to protect their networks from potential threats.