The US Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploitable Vulnerabilities (KEV) list, citing evidence of active exploitation.
This includes three vulnerabilities that Apple fixed this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two vulnerabilities in VMware (CVE-2023-20867 and CVE-2023-20887), and a vulnerability affecting Zyxel devices (CVE-2023-27992).
CVE-2023-32434 and CVE-2023-32435, both of which allow code execution, were said to be zero-day tools for deploying spyware as part of a year-long cyberespionage campaign that began in 2019.
Dubbed Operation Triangulation, this activity culminates in the deployment of TriangleDB, which is designed to collect a wide range of information from compromised devices, such as creating, modifying, deleting and stealing files, to name a few. and iCloud Keychain, the process of expiring, collecting, and tracking credentials and user location.
The attack chain begins with the targeted victim receiving an iMessage with an attachment that automatically triggers the execution of the payload without the need for any interaction, making it a zero-click exploit.
“The malicious message is malformed and does not trigger any alerts or notifications for the user,” Kaspersky said in its preliminary report.
CVE-2023-32434 and CVE-2023-32435 are two of the many iOS vulnerabilities that have been exploited in espionage attacks. One of them is CVE-2022-46690, a high-severity out-of-bounds write issue in IOMobileFrameBuffer that can be weaponized by a rogue app to execute arbitrary code with kernel privileges.
The weakness was addressed by Apple in December 2022 with improved input validation.
Kaspersky marked TriangleDB as allowing unused features referencing macOS, as well as access to the device’s microphone, camera, and address book, which it said could be leveraged in the future.
The Russian cyber security company’s investigation into Operation Triangulation began at the beginning of the year after it discovered a compromise in its enterprise network.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply vendor-provided patches to secure their networks against potential threats.
The development comes as CISA has issued a warning of three bugs in the Berkeley Internet Name Domains (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial of service (DoS) situation.
The flaws – CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911(CVSS scores: 7.5) – could be exploited remotely, resulting in the unexpected termination of the named BIND9 service or exhaustion of all available memory on the host running named, leading to DoS.
This is the second time in less than six months that the Internet Systems Consortium (ISC) has released patches to address similar issues in BIND9 that can lead to DoS and system failures.