**Coruna: A Novel Exploit Kit Targeting Legacy iPhones**
The Threat Intelligence Team at Google, in partnership with the security firm iVerify, has disclosed information regarding an advanced exploit kit identified as Coruna. This toolkit is crafted to target several vulnerabilities in iPhones operating on outdated iOS versions, particularly those ranging from iOS 13 to iOS 17.2.1.
### Technical Insights
Coruna functions by interlinking five distinct iOS exploit chains and utilizing 23 vulnerabilities to compromise the security of unpatched iPhones. The attack initiates when a user navigates to a malicious website that uses concealed JavaScript to collect data about the device, such as its model, system version, and security configurations. Utilizing this collected data, the exploit can traverse different routes to circumvent essential iOS security measures, elevate privileges, and deploy malware capable of gathering data or fetching additional harmful modules.
Importantly, this exploit kit is engineered to detect whether Lockdown Mode is active on the device or if the user is utilizing private browsing mode, halting the attack if either condition applies. This accentuates the necessity of keeping devices current, as the exploit is ineffective against the newest iOS iterations.
For an in-depth analysis of Coruna’s functionality and a comprehensive list of the vulnerabilities it exploits, readers are encouraged to consult the full article on the Google Cloud Blog.
### Background Information
iVerify has issued a report concerning Coruna, shedding light on its possible origins. Their reverse-engineering investigations imply that Coruna has foundational similarities with established hacking tools linked to the US government. This represents the first notable widespread exploitation of mobile devices, including iOS smartphones, by a criminal organization employing tools potentially created by a nation-state.
The report suggests that, in spite of Coruna’s seemingly related connections to US government tools, it has been employed in operations by Russian operatives and cybercriminals based in China. The extensive deployment of such tools raises alarm over potential leaks, as indicated by previous findings that spyware has increasingly targeted powerful individuals beyond traditional subjects such as journalists and dissidents.
iVerify and Google have observed that Coruna has been disseminated via “watering hole” attacks, where compromised websites attract victims, including fraudulent cryptocurrency services that lead users to harmful pages. The primary aim of these operations seems to be financially motivated, with components intended to extract cryptocurrency wallet information and recovery phrases from affected devices.
For additional information, readers can review iVerify’s complete report.
### Summary
The rise of the Coruna exploit kit highlights the persistent risks faced by users of outdated iOS versions. Keeping devices updated is vital to protect against such advanced assaults. As cyber threats advance, awareness and proactive strategies continue to be crucial for safeguarding personal and sensitive data.