from Hacker News

Scan iPhone backups for traces of compromise by “Operation Triangulation”

by j4nek on 6/2/23, 12:45 PM with 153 comments

  • by londons_explore on 6/2/23, 1:42 PM

    If I was an intelligence agency, I would have one department whose job is to 'get caught'. Ie. they use dumb methods to spy on obvious targets, like using exploits to install malware that leaves a wake of plenty of discoverable info and loudly sends data back to the mothership.

    I would then have another department whose job is to be as subtle as possible - for example, all their exploits are 'in ram' and all data sent back is plausibly deniable. (for example, rather than using a random 256 bit nonce while establishing an HTTPS connection to apple to check for updates, use 256 bits of encrypted data you wish to exfiltrate)

  • by transpute on 6/2/23, 1:42 PM

    The open-source Mobile Verification Toolkit scans local iPhone/iPad backup images for filesystem IoCs (Indicators of Compromise) cataloged in STIX format, https://docs.mvt.re & https://github.com/mvt-project/mvt

    > A collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices ... released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project along with a technical forensic methodology..

    STIX IoC format, https://www.oasis-open.org/2021/06/23/stix-v2-1-and-taxii-v2...

    > The [threat intelligence] work was based initially on three specifications contributed by the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).

    iOS IoC sources, please add to this list:

      https://github.com/AmnestyTech/investigations
  https://github.com/citizenlab/malware-indicators
  https://securelist.com/operation-triangulation/109842/

  • by buildbuildbuild on 6/2/23, 1:10 PM

    Cautionary note: many entities do not allow running Kaspersky software including this tool.

    https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations...

  • by infotogivenm on 6/2/23, 2:51 PM

    Given how these 0days were clearly “burned” for this occasion tells me the NSA has no shortage of them.

  • by dmix on 6/2/23, 1:17 PM

    Context, imessage attachment based iOS exploit: https://news.ycombinator.com/item?id=36151220

    Seems pretty noisy IMO. It prevents software updates with visible errors. I wonder if its just the limitations of iOS or its a non-nation state actor. I noticed it modifies some Facetime files, I wonder if it exploits the camera through that.

  • by kornhole on 6/2/23, 3:05 PM

    The NSA has no problem with end to end encryption as long as they can listen in on one end.

  • by nailer on 6/2/23, 1:34 PM

    > While monitoring the network traffic of our own corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we discovered a previously unknown mobile APT campaign targeting iOS devices.

    What is APT in this context?

  • by m3kw9 on 6/2/23, 3:10 PM

    If you are someone “important”, You need to turn off iMessages as that is a huge risk factor as it’s a system app. There will always be zero click exploits and that should be all you need to know

  • by psychphysic on 6/2/23, 1:11 PM

    Now we just need a tool to detect Pegasus and Graphite

  • by slobiwan on 6/2/23, 1:55 PM

    Slightly off-topic, but how do I download an iCloud backup so I can scan it with this tool? The googles imply that I can only recover my device from the cloud, not retrieve old backups for other purposes.

  • by AlbinoDaffy on 6/2/23, 7:45 PM

    iMazing supports same kind of scanning based on open source Mobile Verification Toolkit. Plus overall better backup management for iOS and iPadOS compared to iTunes even on free tier

    https://imazing.com/guides/detect-pegasus-and-other-spyware-...

  • by cynicalsecurity on 6/2/23, 5:11 PM

    Warming: Kaspersky is a fierce supporter of the Putin's fascist regime. His company is known for working for FSB. Think twice before running any software created by them on your computer.

    I would recommend to fork it, thoroughly analyse every line of code and run it on a dedicated computer without internet. Always keep in mind you can't trust them at all.

  • by avodonosov on 6/2/23, 1:24 PM

    FSB statement, from the same day Kaspersky reported this exploit:

    https://www-fsb-ru.translate.goog/fsb/press/message/single.h...

  • by chrisfinazzo on 6/2/23, 2:23 PM

    Local, encrypted backups are a thing - use them.

    It's debatable how useful this advice is for field agents, who might not be carrying a computer with them all the time, but for regular people it's entirely feasible.