The U.S. Cybersecurity and Infrastructure Security Agency has instructed federal agencies to urgently patch three iOS security vulnerabilities that are being actively exploited in cyberespionage and cryptocurrency theft attacks.
The vulnerabilities are part of a larger exploit framework known as Coruna, which researchers say targets multiple weaknesses in Apple’s mobile operating system. According to Google Threat Intelligence Group researchers, the exploit kit uses several attack chains designed to take advantage of 23 different iOS vulnerabilities, many of which were previously used in zero-day attacks.
Coruna allows attackers to bypass several security protections built into iOS. These include bypassing Pointer Authentication Code protections, escaping Apple’s application sandbox, and bypassing the Page Protection Layer security feature. With these capabilities, attackers can execute malicious code through the WebKit browser engine and potentially escalate privileges all the way to the device’s kernel.
Researchers observed the Coruna exploit kit being used by several threat actors during the past year. These included a commercial surveillance vendor customer, a suspected Russian state-backed hacking group known as UNC6353, and a financially motivated Chinese cybercriminal group identified as UNC6691.
The Chinese group reportedly used the exploit kit through fake gambling and cryptocurrency-related websites. Victims who visited these sites could unknowingly receive malware designed to steal cryptocurrency wallet data from their devices.
Mobile security company iVerify warned that Coruna demonstrates how advanced spyware technology originally developed by surveillance vendors is spreading to nation-state actors and eventually to cybercriminal groups operating at large scale.
In response to the threat, CISA added three of the exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. The agency ordered Federal Civilian Executive Branch agencies to secure their devices by March 26 under Binding Operational Directive 22-01.
CISA advised agencies to apply security updates provided by Apple and follow official mitigation guidance. If a fix is not available, organizations may need to stop using affected systems until protections are in place.
Although the directive only applies to federal agencies, CISA strongly encouraged private companies and other organizations to patch the vulnerabilities as soon as possible. The agency warned that flaws like these are commonly targeted by attackers and can pose serious risks to devices that remain unprotected.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Researchers also noted that the Coruna exploit chain does not work on newer versions of iOS. The attacks can also be blocked if users enable Apple’s Lockdown Mode or use private browsing features that limit exposure to malicious web content.
