CISA warns feds to patch iOS flaws exploited in crypto-theft attacks
Source: Bleeping Computer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch three iOS security flaws targeted in cyber‑espionage and crypto‑theft attacks using the Coruna exploit kit.
As Google Threat Intelligence Group (GTIG) researchers revealed earlier this week, Coruna uses multiple exploit chains targeting 23 iOS vulnerabilities, many of which were deployed in zero‑day attacks. However, the exploits will not work on recent versions of iOS and will be blocked if the target is using private browsing or has enabled Apple’s Lockdown Mode anti‑spyware protection feature.
Coruna provides threat actors with:
- Pointer Authentication Code (PAC) bypass
- Sandbox escape
- PPL (Page Protection Layer) bypass
These capabilities enable WebKit remote code execution and escalation to kernel privileges on vulnerable devices.
GTIG observed the exploit kit being used by multiple threat actors last year, including:
- A surveillance‑vendor customer
- A suspected Russian state‑backed hacking group (UNC6353)
- A financially motivated Chinese threat actor (UNC6691)
The latter deployed Coruna on fake gambling and crypto websites to deliver malware designed to steal victims’ cryptocurrency wallets.
Coruna attacks timeline (GTIG)
Mobile security firm iVerify also said that Coruna is an example of “sophisticated spyware‑grade capabilities” that migrated “from commercial surveillance vendors into the hands of nation‑state actors and, ultimately, mass‑scale criminal operations.”
On Thursday, CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by March 26, as mandated by the Binding Operational Directive (BOD) 22‑01.
“Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA warned.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
Although BOD 22‑01 applies only to federal agencies, CISA urged all organizations, including private‑sector companies, to prioritize patching these flaws to secure their devices against attacks as soon as possible.