The Cybersecurity and Infrastructure Security Agency has issued a directive requiring federal agencies to address three critical vulnerabilities in iOS. These security flaws were actively exploited over a ten-month period by three separate hacking groups, as revealed in a report from Google published on Thursday.
All observed campaigns utilized a tool known as Coruna, an advanced hacking kit that compiled 23 distinct iOS exploits into five effective exploit chains. While some of these vulnerabilities had previously been exploited as zero-days in unrelated incidents, Apple had already released patches by the time Google detected their use within Coruna. Despite this, the kit remained a significant threat when targeting older iOS versions, due to the high quality of its exploit code and its broad range of capabilities.
Google researchers highlighted the technical sophistication of Coruna in their findings. “The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits,” they wrote. “The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses.”
On Friday, CISA added the three vulnerabilities to its catalog of known exploited vulnerabilities. This listing mandates that all federal agencies under CISA’s jurisdiction apply the necessary patches. The agency also recommended that all other organizations follow suit to mitigate risks.
The exploits are effective against iOS versions ranging from 13 to 17.2.1. Devices running versions beyond 17.2.1 are not vulnerable. Additionally, the exploits fail to activate when Apple Lockdown mode is enabled or when a browser is set to private browsing mode.
Coruna includes advanced features, such as a previously unseen JavaScript framework that employs a unique obfuscation method to evade detection and reverse engineering. Upon activation, this framework executes a fingerprinting module to collect device information. Based on the data gathered, it then loads an appropriate WebKit exploit, followed by a bypass for a security mechanism known as pointer authentication code.
