CISA has issued a warning to federal agencies regarding the exploitation of three iOS security flaws by the Coruna exploit kit. These flaws are being used in cyberespionage and cryptocurrency theft attacks. The Coruna exploit kit leverages multiple exploit chains targeting numerous iOS vulnerabilities, some of which were zero-day attacks. The kit provides capabilities such as Pointer Authentication Code (PAC) bypass, sandbox escape, and Page Protection Layer (PPL) bypass, enabling remote code execution and privilege escalation to kernel level on vulnerable devices. Threat actors, including a surveillance vendor customer, a suspected Russian state-backed group (UNC6353), and a financially motivated Chinese threat actor (UNC6691), have been observed using Coruna. The latter group deployed it on fake gambling and crypto websites to deliver malware designed to steal cryptocurrency wallets.
Reconnaissance
Identifying Vulnerable iOS Devices
likely
Threat actors identified and targeted specific iOS vulnerabilities, including three that were later added to CISA's Known Exploited Vulnerabilities catalog. These vulnerabilities were part of the Coruna exploit kit.
