The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive requiring U.S. federal agencies to patch three critical iOS vulnerabilities. These flaws have been actively exploited in cyberespionage and cryptocurrency theft campaigns, leveraging the Coruna exploit kit. The vulnerabilities pose significant risks to devices running outdated iOS versions, making immediate action essential.
Coruna, a sophisticated exploit kit, targets 23 iOS vulnerabilities, many of which were exploited as zero-day flaws. According to Google Threat Intelligence Group (GTIG), the kit enables attackers to bypass security measures such as Pointer Authentication Code (PAC), escape sandboxes, and exploit Page Protection Layer (PPL) weaknesses. These capabilities allow threat actors to execute remote code via WebKit and escalate privileges to the Kernel level on vulnerable devices.
How Coruna Exploit Kit Is Used
Coruna has been observed in operations by various threat actors, including nation-state groups and financially motivated cybercriminals. Notably, a suspected Russian-backed group (UNC6353) and a Chinese threat actor (UNC6691) have utilized Coruna. The latter deployed the exploit kit on fraudulent gambling and cryptocurrency websites to deliver malware designed to steal cryptocurrency wallets from victims.
Mobile security experts at iVerify have described Coruna as a spyware-grade tool that has transitioned from commercial surveillance vendors to widespread criminal use. This shift highlights the growing accessibility of advanced cyberattack tools to a broader range of malicious actors.
CISA’s Response and Mandates
In response to the threat, CISA has added three of the Coruna-related vulnerabilities to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch (FCEB) agencies have been instructed to secure their devices by March 26, 2026, as per Binding Operational Directive (BOD) 22-01. The directive emphasizes the importance of applying vendor-recommended mitigations or discontinuing the use of affected products if fixes are unavailable.
CISA has also urged private sector organizations to prioritize patching these vulnerabilities. While the directive is mandatory for federal agencies, the risks posed by these flaws extend to all organizations using vulnerable iOS devices. Implementing updates and enabling features like Apple’s Lockdown Mode can significantly reduce exposure to these threats.
Broader Implications for Cybersecurity
The Coruna exploit kit underscores the evolving nature of cyber threats and the importance of proactive security measures. As advanced tools become more accessible, organizations must remain vigilant in addressing vulnerabilities promptly. Regular updates, robust security configurations, and employee awareness are crucial in mitigating risks associated with such exploits.
For additional insights into securing devices and mitigating vulnerabilities, CISA’s official guidance provides detailed recommendations. Comprehensive understanding and timely action can help organizations safeguard their systems against emerging threats.
- CPUID Compromise Served Malware Through Official CPU-Z and HWMonitor Downloads
- FBI and CISA Warn Iran-Affiliated Actors Are Targeting PLCs Across U.S. Critical Infrastructure
- North Korea Hackers Tied to Axios npm Package Supply Chain Attack
- Axios Supply Chain Attack Pushes RAT Malware Through npm Install
- FBI Director Hacked by Iranian Hackers in Personal Gmail Leak
Related Posts
