Full Report
CISA ordered U.S. federal agencies to patch three iOS security flaws targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. [...]
Analysis Summary
# Vulnerability: Multiple iOS Exploits via Coruna Exploit Kit
## CVE Details
*Note: While 23 vulnerabilities are associated with the Coruna kit, CISA specifically highlighted the following three in this recent mandate.*
* **CVE ID:** CVE-2023-41974
* **CVSS Score:** 8.8 (High)
* **CWE:** CWE-416 (Use After Free)
* **CVE ID:** CVE-2021-30952
* **CVSS Score:** 7.8 (High)
* **CWE:** CWE-20 (Improper Input Validation)
* **CVE ID:** CVE-2023-43000
* **CVSS Score:** 7.8 (High)
* **CWE:** CWE-190 (Integer Overflow or Wraparound)
## Affected Systems
* **Products:** Apple iOS and iPadOS devices.
* **Versions:** Legacy versions of iOS (specific versions vary by CVE, but the kit targets up to iOS 16.x). Devices running iOS 17 and later are generally resistant to these specific exploit chains.
* **Configurations:** Devices browsing malicious web content or fake gambling/cryptocurrency websites.
## Vulnerability Description
These vulnerabilities are part of the "Coruna" exploit kit, a sophisticated framework that chains multiple flaws to achieve full device compromise.
* **WebKit RCE:** Initial access is gained through remote code execution vulnerabilities in the WebKit engine (e.g., CVE-2023-41974).
* **Sandbox Escape & Permission Escalation:** The kit utilizes flaws to bypass the application sandbox and escalate privileges to Kernel level.
* **Control Flow Protections:** It features capabilities to bypass Pointer Authentication Code (PAC) and Page Protection Layer (PPL), security measures designed to prevent unauthorized code execution and memory modification.
## Exploitation
* **Status:** Exploited in the wild. Used by commercial surveillance vendors, Russian state-backed groups (UNC6353), and Chinese financially motivated actors (UNC6691).
* **Complexity:** Low (for the attacker using the kit); High (technical sophistication of the exploit itself).
* **Attack Vector:** Network (Web-based via malicious or compromised URLs).
## Impact
* **Confidentiality:** Total (Spyware capabilities, data theft, and crypto-wallet extraction).
* **Integrity:** Total (Kernel-level access allows modification of system files).
* **Availability:** Total (Full device control by the attacker).
## Remediation
### Patches
* **iOS/iPadOS:** Update all devices to the latest available version (iOS 17.x or 18.x). CISA has mandated federal agencies to patch these by **March 26, 2026**.
* Verify that all Apple devices have received security updates released in late 2023 and 2024 which addressed these specific CVEs.
### Workarounds
* **Lockdown Mode:** Enabling Apple’s Lockdown Mode significantly reduces the attack surface and is reported to block Coruna exploits.
* **Private Browsing:** The exploit kit reportedly fails when the target uses Private Browsing modes.
## Detection
* **Indicators of Compromise:** Unusual battery drain, unexpected device reboots, or unauthorized transactions from cryptocurrency wallets stored on the device.
* **Detection Methods:**
* Mobile Security/MTR (Managed Threat Response) tools that monitor for kernel integrity violations.
* Monitoring for network traffic to known malicious gambling or cryptocurrency-themed domains used by threat actors like UNC6691.
## References
* [CISA Known Exploited Vulnerabilities Catalog] hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
* [Google Threat Intelligence Group Analysis] hxxps[://]blog[.]google/threat-analysis-group/
* [iVerify Blog on Coruna Kit] hxxps[://]iverify[.]io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking
* [BleepingComputer Article] hxxps[://]www[.]bleepingcomputer[.]com/news/security/cisa-warns-of-apple-flaws-exploited-in-spyware-crypto-theft-attacks/