Operation Triangulation: The last (hardware) mystery \ stacker news ~security

Operation Triangulation: The last (hardware) mystery securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

3855 sats \ 7 comments \ @k00b 28 Dec 2023 security

The exploit uses 4 zero-days in iMessage to give root privileges and load spyware with zero clicks!

view all related items

21 sats \ 0 replies \ @WeAreAllSatoshi 28 Dec 2023

Wow, there is a lot going on here!

10 sats \ 0 replies \ @elysia 28 Dec 2023

Would lockdown mode have helped?

1 sat \ 0 replies \ @Car 28 Dec 2023

🤯

0 sats \ 0 replies \ @ek 28 Dec 2023

After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device including running spyware, but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage. The web page has a script that verifies the victim and, if the checks pass, receives the next stage: the Safari exploit.

I wonder what "verifies the victim" means. Sounds like they have targeted an individual with this crazy attack chain. This wouldn't be the first case iirc.

0 sats \ 0 replies \ @SimpleStacker 28 Dec 2023

Strange indeed 🤔

0 sats \ 1 reply \ @byzantine 28 Dec 2023

but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage.

do we know what web page it was forwarding to?

1 sat \ 0 replies \ @k00b OP 28 Dec 2023

You mean the domain name/ip? I don't know if that's been disclosed. On the next line it indicates the web page mostly just loads some javascript to perform another exploit.