Google’s Threat Intelligence Group and security company iVerify have shared details about Coruna, an exploit kit that chains multiple vulnerabilities to target iPhones running older iOS versions. Here are the details.
Under the hood
As spotted by Wired, a post published today on the Google Cloud Blog reveals details of an exploit kit called Coruna, which leverages five full iOS exploit chains and 23 vulnerabilities to compromise unpatched iPhones running iOS 13 through iOS 17.2.1.
At a very high level, the Coruna exploit kit works by chaining multiple vulnerabilities to progressively breach the iPhone’s security layers.
After visiting a malicious site that uses hidden JavaScript to check the device model, system version, and other security settings, the attack can take multiple routes to bypass core iOS protections, gain high-level privileges, and install malware that can collect data or even download additional modules.
Interestingly, Google notes that the exploit checks whether the device has Lockdown Mode enabled and aborts the process if so, or if the user is in private browsing mode.
To be clear, the exploit kit targets iPhones running older iOS versions and is ineffective against the latest system versions. This is one of the many reasons why it’s important to keep one’s devices updated.
For a much, much deeper look into how Coruna works, as well as the full list of the vulnerabilities (and their CVEs, when available) that target each individual iOS release between iOS 13 and iOS 17.2.1, check out the full post on the Google Cloud Blog.
Behind the scenes
Alongside Google’s post, mobile security company iVerify also published a report on Coruna, offering additional context about its possible origins.
Based on its reverse-engineering of the framework, iVerify says Coruna appears to have been built on the same foundations as known US government hacking tools.
From iVerify’s report:
This is the first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation-state.
What they refer to is that, despite Coruna’s apparent shared roots with other US-government-linked hacking tools, it appears to have leaked at some point and has been deployed in campaigns by Russian spies and China-based cybercriminals.
Report after report last year showed that spyware had moved beyond the expected targets in civil society such as journalists and dissidents in addition to criminal operatives, to hit executives in technology and financial services, political campaigns and other people of influence or with privileged access. The more widespread the use, the more certain a leak will occur.
In observed campaigns, iVerify and Google say the exploit kit was delivered via “watering hole” attacks on compromised websites, including fake cryptocurrency services designed to lure victims to malicious pages.
On these campaigns, the final payload appears financially motivated, with modules designed to extract cryptocurrency wallet data and recovery phrases from infected devices.
To read iVerify’s full report, follow this link.
Accessory deals on Amazon
FTC: We use income earning auto affiliate links. More.
