The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch three critical iOS vulnerabilities that were exploited over a 10-month span in campaigns conducted by three distinct groups, according to a Google report.
All three operations relied on Coruna, an advanced exploit kit that aggregates 23 iOS exploits into five exploit chains. While some of the vulnerabilities had appeared as zero-days in earlier, unrelated campaigns, Google notes that all of them were patched by the time Coruna was observed exploiting them. When used against older iOS versions, Coruna’s codebase and capabilities still posed a serious threat.
Google researchers described Coruna as a “promiscuous” second-hand zero-day market, noting its extensive documentation, including English-language comments, and that the most advanced exploits employ non-public techniques and mitigation bypasses.
On Friday, CISA added three of the CVEs to its Known Exploited Vulnerabilities catalog, mandating patching for federal agencies under its authority and urging other organizations to do the same. The exploits affect iOS versions 13 through 17.2.1, with later versions not vulnerable; they do not trigger when Apple Lockdown is active or when private browsing is enabled.
Coruna features a never-before-seen JavaScript framework that obfuscates its operations to evade detection. When activated, the framework fingerprints the device and then loads suitable WebKit exploits, followed by a bypass of a defense known as pointer authentication code.
Google also cataloged the 23 exploits within Coruna, including codename lists, illustrating the scale of the operation and suggesting a market for “second-hand” zero-days as multiple actors acquire and reuse advanced exploitation techniques.
