A recent analysis by Kaspersky has uncovered that the iOS exploit kit known as Coruna includes updated versions of kernel exploits originally seen in Operation Triangulation. This sophisticated exploit kit, identified in mid-2023, is capable of compromising iOS devices through zero-click iMessage attacks.
Unveiling the Coruna Exploit Kit
In 2023, Kaspersky reported that several iOS devices belonging to its senior employees were infiltrated by a sophisticated exploit kit. Coruna, described as possessing nation-state level capabilities, targets 23 different iOS vulnerabilities, including CVE-2023-32434 and CVE-2023-38606. These kernel vulnerabilities were previously exploited as zero-day flaws in Operation Triangulation.
According to Kaspersky’s recent findings, Coruna employs an updated version of these known exploits, indicating a connection to past cyber-espionage activities. The kernel exploits within Coruna utilize the same exploitation framework and demonstrate code similarities with other elements of the kit.
Unified Exploitation Framework
Kaspersky’s investigation suggests that Coruna was designed with a cohesive exploitation framework, rather than being a patchwork of different components. This strengthened framework appears to be an evolved version of the system used in Operation Triangulation. Notably, the updated exploits now incorporate checks for newer iOS versions and Apple processors, further demonstrating the continuity in source code across various exploits.
The enhanced framework, initially developed for espionage, is now being leveraged by a broader spectrum of cybercriminals, exposing millions of users with unpatched devices to potential threats. Given its modular nature, Kaspersky anticipates other threat actors will adopt this framework for future attacks.
Wider Implications and Threats
Coruna has been linked to a Russian state-sponsored group, UNC6353, which has used it in conjunction with another exploit kit, DarkSword, in cyber-attacks against Ukraine. Notably, a recent version of DarkSword was leaked on GitHub, potentially allowing lower-level cybercriminals to exploit millions of vulnerable iOS devices.
The widespread availability of such powerful exploit kits underscores the urgent need for users to update their devices and for security measures to evolve in tandem with emerging threats. The ongoing risk to millions of devices highlights the critical nature of cybersecurity vigilance.
As these exploit kits become more accessible, the cybersecurity community must remain proactive in developing strategies to mitigate their impact and protect users worldwide.
