Triangulation Attacks - Coruna iOS Exploit Framework Evolved
Basically, a new tool is being used to hack iPhones without users knowing.
The Coruna exploit kit is linked to the Triangulation espionage campaign, targeting iPhones with zero-click exploits. This evolution poses serious risks to modern Apple devices, making updates essential. Stay informed and protect your devices against these sophisticated threats.
The Threat
The Coruna exploit kit has emerged as a significant threat, evolving from the infamous Operation Triangulation espionage campaign. Initially targeting iPhones with sophisticated zero-click iMessage exploits, Coruna has expanded its reach to modern Apple hardware, including the latest A17 and M3 chips. This exploit kit is not just a random collection of vulnerabilities; it represents a continuous evolution of a previously established framework, now armed with five full iOS exploit chains that leverage 23 vulnerabilities.
Researchers from Kaspersky have identified that Coruna utilizes updated versions of exploits previously employed in Triangulation, specifically CVE-2023-32434 and CVE-2023-38606. Their analysis reveals that the attack begins in Safari, where the exploit kit fingerprints the device and selects appropriate remote code execution (RCE) and PAC exploits, leading to a multi-stage attack process.
Who's Behind It
The developers of Coruna are believed to be the same threat actors behind Operation Triangulation. This connection became clear after researchers analyzed the binaries of Coruna, which revealed that it is not merely a patchwork of public exploits but a well-maintained evolution of the original framework. The espionage tool has transitioned into a more indiscriminate weapon, now being used in financially motivated campaigns, particularly targeting cryptocurrency theft through fake exchange websites.
Kaspersky's principal security researcher, Boris Larin, emphasizes that what began as a precision espionage tool is now being deployed broadly, raising alarms about its potential impact on users worldwide. The ongoing updates to the framework indicate a commitment to maintaining its effectiveness against the latest Apple devices and iOS versions.
Tactics & Techniques
Coruna employs a sophisticated multi-stage attack methodology. It starts with a stager that identifies the device and selects suitable exploits based on its architecture and iOS version. The payload then downloads additional encrypted components and decrypts them using ChaCha20. This complexity allows the exploit to bypass traditional security measures and deploy spyware implants effectively.
The targeted iOS versions range from those below iOS 14.0 beta 7 to iOS 17.2, indicating a wide net cast over many devices. The precision of these exploits demonstrates a deep understanding of Apple's hardware and software, making the Coruna exploit kit a formidable adversary in the realm of mobile cybersecurity.
Defensive Measures
In response to these threats, Apple has released security updates addressing the vulnerabilities exploited by Coruna. Users are strongly encouraged to update their devices to the latest iOS versions to mitigate the risk of exploitation. Additionally, awareness of suspicious links and unverified applications can help users protect themselves against such advanced threats.
As the landscape of mobile threats continues to evolve, staying informed and vigilant is crucial. Cybersecurity professionals and users alike should remain aware of the ongoing developments related to exploit kits like Coruna and the implications for mobile device security.
BleepingComputer