"Coruna contains exploits targeting 23 vulnerabilities in iOS versions spanning four years, namely iOS 13.0 to iOS 17.2.1, but is ineffective against the latest iterations of Apple's mobile platform. It has been used by multiple threat actors, including the customer of a spyware vendor, a Russian espionage group, and a financially motivated Chinese group."
"Likely built using 'second-hand' zero-day exploits, Coruna fingerprints devices to load the appropriate WebKit remote code execution (RCE) exploit, bypasses various platform mitigations, and injects a payload in the 'powerd' daemon running as root. The payload targets the victim's financial information and can also load additional modules for exfiltrating cryptocurrency wallets and sensitive information from multiple applications."
"There appear to have been no public reports of the exploitation of the remaining three CVEs, namely CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000, before this week's revelations of the CorunaiOSexploit kit targeting them. Now that CISA has added all three iOS flaws to the KEV catalog, federal agencies have three weeks to identify within their environments any vulnerable devices and to patch them."
CISA expanded its Known Exploited Vulnerabilities list with five flaws, including three iOS bugs targeted by the Coruna exploit kit. Coruna contains exploits for 23 iOS vulnerabilities spanning versions 13.0 to 17.2.1, though it fails against the latest iOS iterations. Multiple threat actors have deployed Coruna, including Russian espionage groups and Chinese financially motivated groups. The kit fingerprints devices to deliver appropriate WebKit remote code execution exploits, bypasses platform mitigations, and injects payloads targeting financial information, cryptocurrency wallets, and sensitive application data. Of 23 targeted vulnerabilities, 12 have CVE identifiers assigned, with all issues now patched. Three previously unreported CVEs were newly disclosed through Coruna's discovery. Federal agencies must identify and patch vulnerable devices within three weeks per Binding Operational Directive 22-01.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]