Full Report
Apple is encouraging people to update their iPhones in light of new cybersecurity research that suggests that Russian intelligence, Chinese cybercriminals and other hackers have been using tools nicknamed DarkSword and Coruna to take over phones running older versions of the iOS operating system. The tools, called exploit kits, have been detailed this month by Google and…
Analysis Summary
# Vulnerability: Exploitation of iOS via DarkSword and Coruna Exploit Kits
## CVE Details
* **CVE ID:** Not explicitly named in the summary (Note: These kits typically leverage chains of previously disclosed "N-Day" vulnerabilities such as CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992).
* **CVSS Score:** N/A (Exploit kits utilize multiple vulnerabilities, often reaching Critical scores of 8.8–9.8).
* **CWE:** Typically involves CWE-787 (Out-of-bounds Write) or CWE-843 (Type Confusion) within WebKit or the Kernel.
## Affected Systems
* **Products:** Apple iPhone and iPad.
* **Versions:** Devices running older, unpatched versions of iOS (specifically those prior to recent security baseline updates).
* **Configurations:** Specific configurations are not required, as these often rely on "drive-by" web-based infections.
## Vulnerability Description
The "DarkSword" and "Coruna" tools are sophisticated exploit kits designed for surveillance and intelligence gathering. Technically, these kits utilize "exploit chains"—a series of vulnerabilities that first compromise the web browser (WebKit) to gain initial access, followed by kernel-level exploits to bypass security sandboxes. Once the chain is executed, it provides the attacker with "root" or "kernel" privileges, allowing for full device takeover.
## Exploitation
* **Status:** **Exploited in the wild.** Active campaigns attributed to Russian intelligence and Chinese cybercriminals.
* **Complexity:** Low (for the victim); High (for the attacker to develop).
* **Attack Vector:** Network (typically via malicious links or compromised websites).
## Impact
* **Confidentiality:** **Total.** Attackers can access Wi-Fi passwords, text messages, call history, location history, browser history, Health data, notes, and calendar databases.
* **Integrity:** **Total.** The kits allow for the modification of system files and the installation of persistent surveillance software.
* **Availability:** **High.** The ability to execute code at the root level allows attackers to disable device functions or lock out users.
## Remediation
### Patches
* **Users must update to the latest version of iOS (currently iOS 17.x or 18.x depending on device age).**
* Apple has released patches for the underlying vulnerabilities leveraged by these kits in recent security updates.
### Workarounds
* Enable **Lockdown Mode** if you are at high risk of targeted attacks (this disables certain web technologies used by exploit kits).
* Avoid clicking links from unknown or suspicious sources in SMS, Email, or Messaging apps.
## Detection
* **Indicators of compromise:** Unusual battery drain, device overheating, or unexpected reboots.
* **Detection methods and tools:**
* **iVerify:** A mobile security tool that can scan for traces of the DarkSword implant.
* **Lookout:** Mobile Endpoint Security provides detection for the network infrastructure associated with these kits.
## References
* Google Threat Analysis Group: hxxps[://]cloud[.]google[.]com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
* iVerify Research: hxxps[://]iverify[.]io/press-releases/iverify-details-darksword-second-mass-attack-against-ios-disclosed-in-two-weeks
* Lookout Threat Intelligence: hxxps[://]www[.]lookout[.]com/threat-intelligence/article/darksword
* NBC News Report: hxxps[://]www[.]nbcnews[.]com/tech/security/apple-iphone-users-update-software-hacking-campaigns-rcna264199