Apple Patches 'Coruna' Exploit Kit Targeting Legacy iOS Devices

Apple released critical security updates for older iPhone and iPad models to address "Coruna," a sophisticated exploit kit containing 23 vulnerabilities in five separate exploit chains. 

Discovered by the Google Threat Intelligence Group and iVerify, the toolkit targets iOS versions 13 through 17.2.1. The exploit kit moved from commercial surveillance vendors to Russian espionage groups targeting Ukrainian users, and finally to Chinese cybercriminals focused on financial theft.

Vulnerabilities summary:

• CVE-2024-23222 (CVSS score 8.8) - A type confusion vulnerability in WebKit that allows arbitrary code execution when processing maliciously crafted web content. Attackers use this flaw to gain an initial foothold in the browser process, which serves as the entry point for the multi-stage exploit chain.
• CVE-2023-41974 (CVSS score 8.8) - A use-after-free vulnerability in the iOS Kernel that lets an application run arbitrary code with kernel privileges. By exploiting this memory management issue, attackers can break out of the application sandbox and gain full control over the underlying operating system.
• CVE-2023-43000 (CVSS score 8.8) - A use-after-free issue in WebKit where processing malicious web content leads to memory corruption. This vulnerability allows attackers to execute code within the browser context, facilitating the delivery of subsequent exploit stages.
• CVE-2023-43010 (CVSS score 8.8) - A memory handling vulnerability in WebKit that results in memory corruption during web content processing. This flaw is used to stabilize the exploit chain and ensure successful remote code execution on targeted devices.

The Coruna toolkit delivers a modular implant known as PlasmaLoader (or PLASMAGRID), which injects itself into the powerd root daemon to maintain persistence. This malware targets financial data by scanning for BIP39 mnemonic phrases and "backup phrases" within Apple Memos and other local files. It also includes specialized modules to hook into and steal data from over 18 different cryptocurrency wallet applications, including MetaMask, Trust Wallet, and Coinbase. Researchers estimate that the Chinese-led campaign alone may have compromised approximately 42,000 devices through infected gambling and crypto websites.

The security updates target legacy hardware that cannot run the latest iOS 18 or 17 versions. Affected devices include:

• iPhone 6s, iPhone 7, and iPhone SE (1st generation)
• iPhone 8, iPhone 8 Plus, and iPhone X
• iPad Air 2 and iPad mini (4th generation)
• iPad (5th generation) and early iPad Pro models (9.7-inch and 12.9-inch 1st gen)
• iPod touch (7th generation)

Users of these older Apple devices must immediately install iOS 15.8.7, iOS 16.7.15, or the corresponding iPadOS versions. For users who cannot update their hardware, Apple recommends enabling Lockdown Mode, which blocks the Coruna exploit kit's initial stages. Organizations should audit their mobile fleets for legacy devices and enforce strict update policies to prevent the reuse of these "second-hand" zero-day exploits by various threat actors.