Google’s Threat Intelligence Group and security firm iVerify have shared details about Coruna, an exploit kit that includes multiple vulnerabilities to target iPhones running older versions of iOS. Here are the details.
Under the hat
As seen by It has stringsa post published today on the Google Cloud Blog details an exploit kit called Coruna, which uses five iOS full chains and 23 vulnerabilities to compromise unpatched iPhones running iOS 13 through iOS 17.2.1.
At the highest level, the Coruna exploit kit works by bundling multiple vulnerabilities to slowly break the iPhone’s security layers.
After visiting a malicious site that uses hidden JavaScript to check the device model, system version, and other security settings, an attack can take multiple routes to bypass iOS’s key protections, gain elevated privileges, and install malware that can collect data or download additional modules.
Interestingly, Google notes that the exploit checks if the device has lock mode enabled and aborts the process if so, or if the user is in private browsing mode.
To be clear, the exploit kit targets iPhones running older versions of iOS and does not work against the latest versions of the system. This is one of the many reasons why it is important to keep one’s device updated.
For a more in-depth look at how Coruna works, and a full list of vulnerabilities (and their CVEs, if available) that target each iOS release between iOS 13 and iOS 17.2.1, check out the full post on the Google Cloud Blog.
Behind the scenes
Alongside Google’s post, mobile security firm iVerify also published a report on Coruna, providing more context about its origins.
Based on its version of the framework, iVerify says Coruna appears to be built on the same foundations as known US government hacking tools.
From the iVerify report:
This is the first major exploitation of mobile phones, including iOS, by a hacking group using tools that may have been developed by a country.
What they’re referring to is that, despite Coruna appearing to initially share hacking tools with links to the US government, it appears to have been leaked at some point and planted in Russian spy campaigns and China-based hackers.
The report after the report last year showed that the spyware has gone beyond the targets of the public such as journalists and dissidents in addition to criminal workers, hitting managers in technology and financial services, political campaigns and other people with influence or with special access. The higher the usage, the more likely the leak will occur.
In the targeted campaigns, iVerify and Google said the exploit kit was delivered through “watering hole” attacks on vulnerable websites, including fake cryptocurrency services designed to lure victims to malicious pages.
In these campaigns, the final payment appears to be financially motivated, with modules designed to extract cryptocurrency wallet data and recovery phrases from infected machines.
To read the full iVerify report, follow this link.
Accessories deals on Amazon
FTC: We use auto affiliate links to earn income. More.
