#FactCheck: Debunking the Edited Image Claim of PM Modi with Hafiz Saeed

Introduction

A zero-click cyber attack solely relies on software and hardware flaws, bypassing any human factor to infect a device and take control over its data. It is almost impossible to discover the attack and know that the device is hacked unless someone on your side is closely monitoring your network traffic data.

At Kaspersky, security analysts used their SIEM solution KUMA to monitor their corporate WiFi network traffic and discovered this mysterious attack. They took necessary actions to investigate it and even went a step further to dive right into the action and uncover the entire attack chain.

A few months ago, Kaspersky shared their findings about this attack on iOS devices. They shared how these zero-click vulnerabilities were being exploited by the attackers and called this attack ‘Operation Triangulation’.

A zero-click exploit in the network

Kaspersky detected a zero-click attack on the iPhones of their colleagues while monitoring their corporate WiFi network traffic. They managed to get detailed information on all the stages of the attack by simply identifying a pattern in the domain names flowing through their network. Although the attackers were quite experienced, their mistakes helped Kaspersky detect critical vulnerabilities in all iOS devices.

The name-pattern

These previously unsuspected domains had a similar name-style which consisted of two names and ended with ‘.com’, such as ‘backuprabbit.com’ and ‘cloudsponcer.com’. They were used in pairs, one for an exportation process and the other served as a command and control server. These domains showed high outbound traffic, they were registered with NameCheap and protected with Cloudflare.

The network pattern

Each time a connection to these suspicious domains was made, it was preceded by an iMessage connection which indicated these domains are being accessed by iOS devices. It was observed that the devices connected to these domains, downloaded attachments, performed a few requests to a first level domain which was an exploitation framework server, then made regular connections with the second level domain which was a command and control server controlled by the attackers.

Getting more information

To get more information about the attack all the infected devices were collected and backed up after carefully informing the device owners. Although the attackers had managed to clean their artefacts, the backed up data was used to perform digital forensic procedures and find traces of the attacks. This helped Kaspersky to figure out how the infection might be taking place.

The attacker’s mistakes

The attackers deleted all the attachment files and exploits but did not delete the modified SMS attachment folder. That folder had no files left inside it. The attackers removed evidence from other databases as well, like the ‘SMS.db’ database, however another database called ‘datausage.sqlite’ was not sanitised.

The ‘datausage.sqlite’ database is the most important database when it comes to iOS forensics as its contents can be used to track applications and network usage. Upon examination of this database, a process logged as ‘BackupAgent’ was found to be making network connections at the same time the device was making connections to the suspicious domains.

The indicator of compromise

‘BackupAgent’ stood out in this scenario because although it is a legitimate binary, it has been deprecated since iOS4 and it should not have been making any network connections. This identified the ‘BackupAgent’ process as the first solid indicator of compromise in Operation Triangulation. The indicator is termed as- ‘Data usage by process BackupAgent’, and was used to determine if any specific device was infected.

Taking it a step ahead

The team at Kaspersky successfully identified the indicator of compromise and determined which devices were infected, but as the attackers were experienced enough to delete their payloads, they decided to set a trap and perform a man-in-the-middle attack. When they did, the attackers were unable to detect it.

The man-in the-middle attack

Kaspersky prepared a server with ‘WireGuard’ and ‘mitmproxy’. They installed root certificates on devices that could be used as targets for the attackers and routed all the network traffic to that server. They also developed a ‘Telegram’ bot to notify them about new infections as they decrypted the network traffic.

Setting up a bot proved to be an effective way of real time monitoring while modifying all the network packets on-the-fly with ‘mitmproxy’, this gave them unlimited power! Their trap was successful in capturing a payload sent by the attackers and it was analysed in detail.

The name was in the payload

The payload was an HTML page with obfuscator javascript which performed various code checks and canvas footprinting. It rendered a yellow triangle and calculated its hash value. This is why the operation was named Operation Triangulation.

The team at Kaspersky started cracking various layers of asymmetric cryptography with regular expressions. They patched the stages one-by-one on the fly to move the logic from each stage to ‘mitmproxy’ and finally implemented a 400 line ‘mitmproxy’ add-on. This add-on decrypted all the validators, exploits, spyware and additional modules.

The mystery 

It is remarkable how Kaspersky detected the attack and identified multiple vulnerabilities, set up a trap to capture a payload and decrypted it completely. They shared all their findings with the device manufacturer and Apple responded by sending out a security patch update addressing four zero-day vulnerabilities. 

A zero-click vulnerability

Traditionally any spyware relies on the user to to click on a compromised link or file to initiate the infection. However a zero-click vulnerability is a specific flaw in the device software or hardware that the attacker can use to infect the device without the need for a click or tap from the user.

The vulnerabilities identified

1. Tricky Font Flaw (CVE-2023-41990): A clandestine method involving the manipulation of font rendering on iPhones, akin to a secret code deciphered by the attackers.Apple swiftly addressed this vulnerability in versions iOS 15.7.8 and iOS 16.3.

2. Kernel Trick (CVE-2023-32434): Exploiting a hidden language understood only by the iPhone's core, the attackers successfully compromised the kernel's integrity.Apple responded with fixes implemented in iOS 15.7.7, iOS 15.8, and iOS 16.5.1.

3. Web Sneakiness (CVE-2023-32435): Leveraging a clever ploy in the interpretation of web content by iPhones, the attackers manipulated the device's behaviour.Apple addressed this vulnerability in iOS 15.7.7 and iOS 16.5.1.

4. Kernel Key (CVE-2023-38606): The pinnacle of the operation, the attackers discovered a covert method to tamper with the iPhone's core, the kernel.Apple responded with a fix introduced in iOS 16.6, thwarting the intrusion into the most secure facets of the iPhone

Still, how these attackers were able to find this critical vulnerability in a device which stands out for it’s security features is still unknown.

CyberPeace Advisory

Zero-click attacks are a real threat, but you can defend yourself. Being aware of the risks and taking proactive steps can significantly reduce vulnerability. Regularly installing the latest updates for your operating system, apps, and firmware helps patch vulnerabilities before attackers can exploit them.

• Keep your software updated as they contain crucial security patches that plug vulnerabilities before attackers can exploit them.
• Use security software to actively scan for suspicious activity and malicious code, acting as a first line of defence against zero-click intrusions.
• Be cautious with unsolicited messages if the offer seems too good to be true or the link appears suspicious as it can contain malware that can infect your device.
• Disable automatic previews as it can potentially trigger malicious code hidden within the content.
• Be mindful of what you install and avoid unverified apps and pirated software, as they can be Trojan horses laden with malware.
• Stay informed about the latest threats and updates by following reliable news sources and security blogs to stay ahead of the curve, recognize potential zero-click scams and adjust your behaviour accordingly.

Check out our (advisory report)[add report link] to get in depth information.

Conclusion

Operation Triangulation stands as a testament to the continuous cat-and-mouse game between cybercriminals and tech giants. While the covert spy mission showcased the vulnerabilities present in earlier iPhone versions, Apple's prompt response underscores the commitment to user security. As the digital landscape evolves, vigilance, timely updates, and collaborative efforts remain essential in safeguarding against unforeseen cyber threats.

References:

1. Operation Triangulation: iOS devices targeted with previously unknown malware | Securelist, 1 June, 2023
2. Operation Triangulation: The last (hardware) mystery | Securelist, 27 December, 2023.
3. 37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers (youtube.com), 29 December,2023

Executive Summary:

A misleading video claiming to show fireworks at Dubai International Cricket Stadium following India’s 2025 ICC Champions Trophy win has gone viral, causing confusion among viewers. Our investigation confirms that the video is unrelated to the cricket tournament. It actually depicts the fireworks display from the December 2024 Arabian Gulf Cup opening ceremony at Kuwait’s Jaber Al-Ahmad Stadium. This incident underscores the rapid spread of outdated or misattributed content, particularly in relation to significant sports events, and highlights the need for vigilance in verifying such claims.

‍

‍

Claim: 

The circulated video claims fireworks and a drone display at Dubai International Cricket Stadium after India's win in the ICC Champions Trophy 2025.

‍

Fact Check:

A reverse image search of the most prominent keyframes in the viral video led it back to the opening ceremony of the 26th Arabian Gulf Cup, which was hosted by Jaber Al-Ahmad International Stadium in Kuwait on December 21, 2024. The fireworks seen in the video correspond to the imagery in this event. A second look at the architecture of the stadium also affirms that the venue is not Dubai International Cricket Stadium, as asserted. Additional confirmation from official sources and media outlets verifies that there was no such fireworks celebration in Dubai after India's ICC Champions Trophy 2025 win. The video has therefore been misattributed and shared with incorrect context.

‍

Fig: Claimed Stadium Picture

‍

‍

Conclusion:

A viral video claiming to show fireworks at Dubai International Cricket Stadium after India's 2025 ICC Champions Trophy win is misleading. Our research confirms the video is from the December 2024 Arabian Gulf Cup opening ceremony at Kuwait’s Jaber Al-Ahmad Stadium. A reverse image search and architectural analysis of the stadium debunk the claim, with official sources verifying no such celebration took place in Dubai. The video has been misattributed and shared out of context.

• Claim: Fireworks in Dubai celebrate India’s Champions Trophy win.
• Claimed On: Social Media
• Fact Check: False and Misleading

‍

Introduction

February marks the beginning of Valentine’s Week, the time when we transcend from the season of smog to the season of love. This is a time when young people are more active on social media and dating apps with the hope of finding a partner to celebrate the occasion. Dating Apps, in order to capitalise on this occasion, launch special offers and campaigns to attract new users and string on the current users with the aspiration of finding their ideal partner. However, with the growing popularity of online dating, the tactics of cybercriminals have also penetrated this sphere. Scammers are now becoming increasingly sophisticated in manipulating individuals on digital platforms, often engaging in scams, identity theft, and financial fraud under the guise of romance. As love fills the air, netizens must stay vigilant and cautious while searching for a connection online and not fall into a scammer’s trap. 

Here Are Some CyberPeace Tips To Avoid Romance Scams

• Recognize Red Flags of Romance Scams:- Online dating has made it easier to connect with people, but it has also become a tool for scammers to exploit the emotions of netizens for financial gain. They create fake profiles, build trust quickly, and then manipulate victims into sending money. Understanding their tactics can help you stay safe.
• Warning Signs of a Romance Scam:- If someone expresses strong feelings too soon, it’s a red flag. Scammers often claim to have fallen in love within days or weeks, despite never meeting in person. They use emotional pressure to create a false sense of connection.  Their messages might seem off. Scammers often copy-paste scripted responses, making conversations feel unnatural. Poor grammar, inconsistencies in their stories, or vague answers are warning signs. Asking for money is the biggest red flag. They might have an emergency, a visa issue, or an investment opportunity they want you to help with. No legitimate relationship starts with financial requests.
• Manipulative Tactics Used by Scammers:- Scammers use love bombing to gain trust. They flood you with compliments, calling you their soulmate or destiny. This is meant to make you emotionally attached. They often share fake sob stories. It could be anything ranging from losing a loved one, facing a medical emergency, or even being stuck in a foreign country. These are designed to make you feel sorry for them and more willing to help. Some of these scammers might even pretend to be wealthy, being investors or successful business owners, showing off their fabricated luxury lifestyle in order to appear credible. Eventually, they’ll try to lure you into a fake investment. They create a sense of urgency. Whether it’s sending money, investing, or sharing personal details, scammers will push you to act fast. This prevents you from thinking critically or verifying your claims.
• Financial Frauds Linked to Romance Scams:- Romance scams have often led to financial fraud. Victims may be tricked into sending money directly or get roped into elaborate schemes. One common scam is the disappearing date, where someone insists on dining at an expensive restaurant, only to vanish before the bill arrives. Crypto scams are another major concern. Scammers convince victims to invest in fake cryptocurrency platforms, promising huge returns. Once the money is sent, the scammer disappears, leaving the victim with nothing. 
• AI & Deepfake Risks in Online Dating:- Advancements in AI have made scams even more convincing. Scammers use AI-generated photos to create flawless, yet fake, profile pictures. These images often lack natural imperfections, making them hard to spot. Deepfake technology is also being used for video calls. Some scammers use pre-recorded AI-generated videos to fake live interactions. If a person’s expressions don’t match their words or their screen glitches oddly, it could be a deepfake.
• How to Stay Safe:-
  • Always verify the identities of those who contact you on these sites. A simple reverse image search can reveal if someone’s profile picture is stolen.
  • Avoid clicking suspicious links or downloading unknown apps sent by strangers. These can be used to steal your personal information.
  • Trust your instincts. If something feels off, it probably is. Stay alert and protect yourself from online romance scams.

Best Online Safety Practices

• Prioritize Social Media Privacy:- Review and update your privacy settings regularly. Think before you share and be mindful of who can see your posts/stories. Avoid oversharing personal details.
• Report Suspicious Activities:- Even if a scam attempt doesn’t succeed, report it. Indian Cyber Crime Coordination Centre (I4C) 'Report Suspect' feature allow users to flag potential threats, helping prevent cybercrimes.
• Think Before You Click or Download:- Avoid clicking on unknown links or downloading attachments from unverified sources. These can be traps leading to phishing scams or malware attacks.
• Protect Your Personal Information:- Be cautious with whom and how you share your sensitive details online. Cybercriminals exploit even the smallest data points to orchestrate fraud.

‍