The Cybersecurity and Infrastructure Security Agency has directed federal agencies to apply patches for three critical iOS vulnerabilities. These flaws were actively exploited over a ten-month period by three separate hacking groups using the Coruna exploit kit.
Google disclosed these campaigns in a report published on Thursday. The Coruna kit compiled 23 distinct iOS exploits into five powerful exploit chains. While some vulnerabilities had previously been used as zero-days in unrelated attacks, all were patched before Google observed Coruna’s exploitation.
Despite patches being available, Coruna remained a significant threat to older iOS versions due to the high quality of its exploit code and broad capabilities. “The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits,” Google researchers noted. “The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses.”
On Friday, CISA added the three vulnerabilities to its catalog of known exploited flaws. This listing mandates that all federal agencies under CISA’s jurisdiction patch these issues. CISA also recommended that all other organizations follow suit.
The exploits target iOS versions ranging from 13 to 17.2.1. Devices running versions beyond 17.2.1 are not vulnerable. Additionally, the exploits fail to activate when Apple Lockdown mode is enabled or when a browser is set to private browsing.
Coruna includes advanced features such as a novel JavaScript framework with a unique obfuscation method to evade detection and reverse engineering. Upon activation, this framework executes a fingerprinting module to collect device information. Based on this data, it loads an appropriate WebKit exploit and then a bypass for pointer authentication code defenses.
