The Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) list to include five new security flaws. Among these are three significant vulnerabilities exploited by the Coruna iOS exploit kit, a tool known for its advanced targeting capabilities against Apple’s mobile operating system.
Coruna Exploit Kit Targets iOS Versions
The Coruna exploit kit has been utilized to exploit 23 different vulnerabilities across iOS versions 13.0 to 17.2.1. However, it is important to note that the latest versions of iOS remain unaffected. The kit has seen deployment by various threat actors, including a spyware vendor’s client, a Russian espionage group, and a financially motivated Chinese organization.
Coruna operates by leveraging ‘second-hand’ zero-day vulnerabilities, allowing it to fingerprint devices and deploy suitable WebKit remote code execution (RCE) exploits. This sophisticated approach circumvents platform defenses to inject a payload into the ‘powerd’ daemon running at root level, primarily targeting financial data and sensitive information from various apps.
Security Flaws and Patching Efforts
Out of the 23 vulnerabilities targeted by Coruna, 12 have been officially assigned CVE identifiers, with the remaining public disclosures having been addressed through patches. Nine of these were previously identified as exploited, often as zero-day vulnerabilities, including notable CVEs such as CVE-2022-48503 and CVE-2024-23222.
Three additional CVEs (CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000) were highlighted with no prior public reports of exploitation until the Coruna kit was found targeting them. CISA’s inclusion of these flaws in the KEV list mandates federal agencies to identify and patch vulnerable devices within three weeks, as per Binding Operational Directive (BOD) 22-01.
Broader Implications and Recommendations
In addition to the iOS vulnerabilities, CISA has alerted organizations to older vulnerabilities in Hikvision and Rockwell products that have been actively exploited. While the directive primarily targets federal agencies, all organizations are encouraged to prioritize addressing vulnerabilities listed in the KEV catalog to mitigate potential threats.
The ongoing efforts to update and expand the KEV list underscore the critical need for organizations to maintain robust cybersecurity measures and ensure timely patch management to protect against emerging threats.
Related updates from Google and Apple highlight the broader industry trends, with insights into zero-day exploits and the importance of staying ahead of potential cyberattacks.
