Google’s Threat Intelligence Group and security company iVerify have shared details about Coruna, an exploit kit that chains multiple vulnerabilities to target iPhones running older iOS versions. Here are the details.
Under the hood
like distinguished from Wiresa post published today on Google Cloud Blog reveals details of an exploit kit called Coruna, which uses five full iOS exploit chains and 23 vulnerabilities to compromise unpatched iPhones running iOS 13 through iOS 17.2.1.
At a very high level, the Coruna exploit kit works by chaining together multiple vulnerabilities to progressively breach the iPhone’s security layers.
After visiting a malicious site that uses hidden JavaScript to check the device model, system version, and other security settings, the attacker can take multiple routes to bypass core iOS defenses, gain high-level privileges, and install malware that can collect data or even download add-ons.
Interestingly, Google notes that the exploit checks if the device has locked mode enabled and aborts the process if so, or if the user is in private browsing mode.
To be clear, the exploit kit targets iPhones running older iOS versions and is ineffective against the latest versions of the system. This is one of the many reasons why it is important to keep your devices up to date.
For a much, much deeper look at how Coruna works, as well as the full list of vulnerabilities (and their CVEs, when available) that target each individual iOS version between iOS 13 and iOS 17.2.1, see full post on the Google Cloud blog.
Behind the scenes
In addition to Google’s post, mobile security company iVerify also published a report in Coruna, providing additional context for its possible origins.
Based on reverse-engineering the framework, iVerify says Coruna appears to be built on the same foundations as known US government hacking tools.
From the iVerify report:
This is the first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation-state.
What they’re referring to is that, despite Coruna’s apparent shared roots with other hacking tools linked to the US government, it appears to have been leaked at some point and planted in campaigns by Russian spies and cybercriminals based in China.
Report after report last year showed that spyware had moved beyond expected targets in civil society such as journalists and dissidents, in addition to criminal operatives, to hit executives in technology and financial services, political campaigns and other people with influence or privileged access. The more widespread the use, the more likely a leak will occur.
In the campaigns observed, iVerify and Google say the exploit kit was delivered through “waterhole” attacks on compromised websites, including fake cryptocurrency services designed to lure victims to malicious sites.
In these campaigns, the ultimate payload appears to be financially motivated, with modules designed to extract cryptocurrency wallet data and recovery phrases from infected devices.
To read the full iVerify report, follow this link.
Amazon accessory deals
FTC: We use automatic affiliate links to earn income. More.
