The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive to U.S. federal agencies, mandating the application of security patches for three critical iOS vulnerabilities. These flaws, exploited in a sophisticated manner over a ten-month period, have been at the center of hacking campaigns conducted by three distinct groups, raising questions about the security of Apple devices and the proliferation of advanced hacking tools.
The Google Discovery and the CISA Alert
The discovery of these hacking campaigns was made public thanks to a detailed report from Google. The campaigns exploited Coruna, an advanced hacking kit that integrated a total of 23 separate iOS exploits into five powerful exploit chains. Although some of the vulnerabilities had been previously exploited in independent and unrelated campaigns, all had been patched by the time Google observed their exploitation by Coruna. However, the kit represented a formidable threat, given the high quality of the exploit code and the wide range of capabilities, especially against older versions of iOS.
The Coruna Kit and its Capabilities
The primary technical value of this exploit kit lies in its comprehensive collection of iOS exploits. Google researchers highlighted the presence of extensive documentation, including docstrings and comments written in native English. The most advanced exploits use non-public exploitation techniques and mitigation bypasses. Coruna also stands out for its use of a previously unseen JavaScript framework that employs a unique obfuscation method to prevent detection and reverse engineering. This framework, once activated, executes a fingerprinting module to gather device information, then loads a suitable WebKit exploit and bypasses a known defense called pointer authentication code.
The Proliferation of Exploits and the Implications
A particularly concerning aspect is the use of Coruna by three distinct hacking groups. Google first detected its use in February of last year, in an operation conducted by a customer of a surveillance vendor. Subsequently, in July 2023, a suspected Russian espionage group exploited one of the vulnerabilities in targeted attacks on websites frequented by Ukrainian targets. Finally, in December 2023, a financially motivated threat actor from China used the kit, allowing Google to recover the entire exploit kit. This suggests an active market for second-hand zero-day exploits. Google researchers recovered all the obfuscated exploits, including the final payloads, discovering that the exploit kit was likely called Coruna internally. In total, several hundred samples were collected, covering a total of five complete iOS exploit chains. The exploit kit is capable of targeting various iPhone models with iOS from version 13.0 up to version 17.2.1.
CISA's Actions and Recommendations
CISA has added three of the vulnerabilities to its catalog of known exploited vulnerabilities. The agency is directing agencies to apply mitigations according to the vendor's instructions, follow applicable guidelines for cloud services, or discontinue use of the product if mitigations are not available. CISA warned that these vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. It is crucial that organizations take these recommendations seriously and implement the necessary security patches to protect their systems and data.
Sponsored Protocol