Feds Probe Mysterious iOS Vulnerabilities Under Attack
▼ Summary
– CISA has ordered federal agencies to patch three critical iOS vulnerabilities that were exploited by three distinct hacking groups over ten months.
– Google reported these groups used the “Coruna” exploit kit, which combined 23 iOS exploits into five powerful chains, posing a major threat to older iOS versions.
– The Coruna kit’s technical value lies in its well-documented, advanced exploits, some using non-public techniques and mitigation bypasses written in native English.
– CISA added the vulnerabilities to its catalog, requiring federal agencies to patch them and advising all organizations to do the same, as they affect iOS versions 13 through 17.2.1.
– The kit includes a novel, obfuscated JavaScript framework that fingerprints devices and then loads tailored WebKit exploits and security bypasses.
Federal agencies are now under a mandatory directive to address three critical security flaws in Apple’s iOS operating system. These vulnerabilities were actively exploited over a ten-month period by multiple distinct hacking groups using a sophisticated toolkit. The Cybersecurity and Infrastructure Security Agency (CISA) has added these specific weaknesses to its official catalog of known exploited vulnerabilities, compelling all federal bodies to apply the necessary patches immediately. The agency strongly recommends that all organizations follow this urgent security guidance to protect their systems and data from these confirmed threats.
The existence of these coordinated hacking campaigns was detailed in a recent report from Google. The attacks all leveraged a powerful collection of hacking tools known as Coruna. This kit bundled 23 individual iOS exploits into five highly effective chains designed to compromise devices. While Apple had already patched the vulnerabilities by the time Google observed Coruna’s use, the kit remained a severe threat to any device running older, unpatched versions of iOS. The quality of the exploit code and its broad range of capabilities made it particularly dangerous for outdated systems.
Google’s analysis highlighted the exceptional nature of the Coruna toolkit. Researchers noted that its core value lies in a comprehensive library of iOS exploits, many of which included detailed documentation written in fluent English. The most advanced components utilized non-public exploitation techniques and methods to bypass standard security mitigations, indicating a high level of sophistication.
The three vulnerabilities now mandated for patching affect iOS versions 13 through 17.2.1. Devices running iOS versions beyond 17.2.1 are not susceptible to these specific exploits. Furthermore, the attack methods are ineffective if a device has Apple’s Lockdown Mode enabled or if a web browser is set to private browsing mode, offering users additional layers of protection.
Coruna’s advanced capabilities extended beyond standard exploit code. It incorporated a previously unseen JavaScript framework that employed a unique obfuscation method to evade detection and hinder reverse-engineering efforts. Once activated on a target device, this framework would first run a fingerprinting module to collect detailed information about the system. Based on the results of this reconnaissance, it would then dynamically load an appropriate WebKit browser exploit, followed by a specialized bypass for a key Apple defense mechanism known as pointer authentication codes (PAC).
(Source: Ars Technica)
