<\/p>\n\n\n\n
Quick Summary: Operation Triangulation is an iOS zero-click exploit that will self destruct, looks to have been used since at least 2019, works on iOS 15.7, unsure if it works on iOS 16. Can collect location, mic recordings, photos, and manipulate iMessages. First point of entry is from an iMessage message, that compromises the device, after compromise, the message gets deleted. <\/p>\n\n\n\n
<\/p>\n\n\n\n
https:\/\/securelist.com\/operation-triangulation\/109842\/<\/a><\/p>\n\n\n\n https:\/\/www.kaspersky.com\/about\/press-releases\/2023_kaspersky-reports-on-new-mobile-apt-campaign-targeting-ios-devices<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n https:\/\/arstechnica.com\/information-technology\/2023\/06\/clickless-ios-exploits-infect-kaspersky-iphones-with-never-before-seen-malware\/<\/a><\/p>\n\n\n\n Links for checking for infection.<\/p>\n\n\n\n https:\/\/securelist.com\/find-the-triangulation-utility\/109867\/<\/a><\/p>\n\n\n\n https:\/\/github.com\/KasperskyLab\/triangle_check<\/a><\/p>\n\n\n\n The following is a list of C&C domains from the securelist.com article. Did a quick DNS lookup for each domain and they currently have the following records & IP addresses. Note that these can change at any time and some of the IP addresses are\/can be shared with other legitimate websites if it is on a shared hosting provider.<\/p>\n\n\n\n <\/p>\n\n\n\n List of domains<\/p>\n\n\n\n List of IPv4 addresses used<\/p>\n\n\n\n Bash command to get an updated IP address list. bad.txt contains all the above domain names.<\/p>\n\n\n\n If you have a DNS server, you can check to see if there has been any name resolution by using the following. Change named.log to your dns log<\/p>\n\n\n\n Mikrotik packet sniffer settings to capture traffic coming or going to the above IP addresses.<\/p>\n\n\n\n You can then start the sniffer by running Tools -> Packet Sniffer Settings -> Start <\/p>\n\n\n\n or run<\/p>\n\n\n\n <\/p>\n\n\n\n Apple issued an update that fixes the kernel part of the vulnerability. <\/p>\n\n\n\n https:\/\/securelist.com\/triangledb-triangulation-implant\/110050\/<\/a><\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Quick Summary: Operation Triangulation is an iOS zero-click exploit that will self destruct, looks to have been used since at least 2019, works on iOS 15.7, unsure if it works on iOS 16. Can collect location, mic recordings, photos, and … Continue reading addatamarket.net - sandy.ns.cloudflare.com, doug.ns.cloudflare.com - No A records, or TXT\nbackuprabbit.com - nelci.ns.cloudflare.com, morgan.ns.cloudflare.com - No A records, or TXT\nbusinessvideonews.com - ns2.dnsowl.com, ns3.dnsowl.com, ns1.dnsowl.com - 198.251.81.30, 209.141.38.71, 107.161.23.204\ncloudsponcer.com - Cloudflare, kipp.ns.cloudflare.com, joyce.ns.cloudflare.com\ndatamarketplace.net - ns78.domaincontrol.com, ns77.domaincontrol.com, 34.98.99.30\nmobilegamerstats.com - ns1.bitdomain.biz, No A records, TXT=v=spf1 redirect=_spf.mailhostbox.com\nsnoweeanalytics.com - cody.ns.cloudflare.com, arlee.ns.cloudflare.com - 104.21.76.6, 172.67.184.201\ntagclick-cdn.com - ns4.bitdomain.biz, ns3.bitdomain.biz, ns2.bitdomain.biz, ns1.bitdomain.biz - No A records, TXT=v=spf1 redirect=_spf.mailhostbox.com\"\ntopographyupdates.com - nero.ns.cloudflare.com, dalary.ns.cloudflare.com - 104.21.27.67, 172.67.141.199\nunlimitedteacup.com - nelci.ns.cloudflare.com, javon.ns.cloudflare.com - 104.21.55.58, 172.67.145.72\nvirtuallaughing.com - elaine.ns.cloudflare.com, braden.ns.cloudflare.com - 104.21.60.240, 172.67.202.140\nweb-trackers.com - dns1.registrar-servers.com, dns2.registrar-servers.com - 15.164.228.250\ngrowthtransport.com - ns3.dnsowl.com, ns2.dnsowl.com, ns1.dnsowl.com - 198.251.81.30, 107.161.23.204, 209.141.38.71\nanstv.net - ns64.domaincontrol.com, ns63.domaincontrol.com. - 93.90.223.185\nans7tv.net - ns37.domaincontrol.com,ns37.domaincontrol.com - 93.90.223.185<\/pre>\n\n\n\n
addatamarket.net\nbackuprabbit.com\nbusinessvideonews.com\ncloudsponcer.com\ndatamarketplace.net\nmobilegamerstats.com\nsnoweeanalytics.com\ntagclick-cdn.com\ntopographyupdates.com\nunlimitedteacup.com\nvirtuallaughing.com\nweb-trackers.com\ngrowthtransport.com\nanstv.net\nans7tv.net<\/pre>\n\n\n\n
107.161.23.204\n198.251.81.30\n209.141.38.71\n34.98.99.30\n172.67.184.201\n104.21.76.6\n172.67.141.199\n104.21.27.67\n172.67.145.72\n104.21.55.58\n104.21.60.240\n172.67.202.140\n15.164.228.250\n209.141.38.71\n198.251.81.30\n93.90.223.185<\/pre>\n\n\n\n
for i in `cat bad.txt` ; do dig $i a +short >> badips.lst; done<\/code><\/pre>\n\n\n\nCheck DNS logs<\/h2>\n\n\n\n
# list=\"\"addatamarket.net\"\n\"backuprabbit.com\"\n\"businessvideonews.com\"\n\"cloudsponcer.com\"\n\"datamarketplace.net\"\n\"mobilegamerstats.com\"\n\"snoweeanalytics.com\"\n\"tagclick-cdn.com\"\n\"topographyupdates.com\"\n\"unlimitedteacup.com\"\n\"virtuallaughing.com\"\n\"web-trackers.com\"\n\"growthtransport.com\"\n\"anstv.net\"\n\"ans7tv.net\"\"\n\n# for domain in $list; do echo $domain && sudo grep -i $domain \/var\/log\/named.log; done<\/pre>\n\n\n\n
Setup Mikrotik capture traffic<\/h2>\n\n\n\n
\/tool sniffer\nset file-limit=32000KiB file-name=Triangulation filter-ip-address=\"107.161.23.20\\\n 4\/32,198.251.81.30\/32,209.141.38.71\/32,34.98.99.30\/32,172.67.184.201\/32,104.\\\n 21.76.6\/32,172.67.141.199\/32,104.21.27.67\/32,172.67.145.72\/32,104.21.55.58\/3\\\n 2,104.21.60.240\/32,172.67.202.140\/32,15.164.228.250\/32,209.141.38.71\/32,198.\\\n 251.81.30\/32,93.90.223.185\/32\" <\/pre>\n\n\n\n
\/tool\/sniffer\/start<\/pre>\n\n\n\n
Resolution<\/h2>\n\n\n\n