CISA ordered U.S. federal agencies to patch three iOS vulnerabilities exploited by the DarkSword exploit kit in campaigns that stole cryptocurrency and conducted cyberespionage. The exploit chain enabled sandbox escapes, privilege escalation, and remote code execution on iPhones running iOS 18.4–18.7 and has been linked to threat groups including UNC6353 and UNC6748. #DarkSword #UNC6353
Keypoints
- CISA mandated federal agencies to remediate three actively exploited iOS CVEs by April 3 under BOD 22-01.
- DarkSword abuses a six-vulnerability chain to achieve sandbox escape, privilege escalation, and remote code execution on iOS 18.4–18.7.
- Researchers observed three info-stealing families—GhostBlade, GhostKnife, and GhostSaber—dropped by the exploit framework.
- UNC6353 and UNC6748 were linked to the campaigns, with UNC6353 using DarkSword and Coruna in watering-hole attacks on Ukrainian sites.
- DarkSword wipes temporary files and exits after exfiltration, indicating short-term surveillance operations designed to evade detection.