That one of the bigger security companies seemingly didn't have MDM screaming bloody murder or outright blocking authentication for an endpoint this out of date is more than a little concerning.
Props to their SIEM for detecting it in the end, but this seems like it could've been detected and remediated a few weeks in (assuming it didn't also have the ability to spoof the iOS version).
> We identified that the latest version of iOS that was targeted by Triangulation is 15.7. However, given the sophistication of the cyberespionage campaign and the complexity of analysis of iOS platform, we can’t guarantee that other versions of iOS are not affected.
Indeed, the identified fix involves a factory reset and upgrading iOS to prevent the malware from taking over again.
That provides a simple explanation for why the phones are running such an old version: because they've been infected and unable to be updated for that entire time.
I guess execs at security firms are no better than average people when it comes to noticing that their phones never got the various new features (end emojis!) from the last year of OS updates.
> We have developed and made freely available the triangle_check utility, that can detect indicators of compromise in an Apple device backup. Detailed instructions on how to use it under different OSs (Windows, Linux and macOS), as well as how to create a device backup can be found in a post on Securelist. [1]
Props to their SIEM for detecting it in the end, but this seems like it could've been detected and remediated a few weeks in (assuming it didn't also have the ability to spoof the iOS version).