CISA ordered federal agencies to patch three iOS vulnerabilities exploited by the Coruna exploit kit, which Google researchers say uses multiple exploit chains (including zero-days) to achieve remote code execution and kernel privilege escalation. GTIG observed Coruna deployed by multiple actors — including UNC6353 and financially motivated UNC6691 — to conduct surveillance and steal cryptocurrency, and CISA added three flaws to its Known Exploited Vulnerabilities list urging immediate mitigation. #Coruna #UNC6691
Keypoints
- CISA ordered FCEB agencies to patch three iOS flaws exploited by Coruna and set a March 26 deadline under BOD 22-01.
- GTIG reported Coruna chains exploits for 23 iOS vulnerabilities, many of which were deployed as zero-days.
- Coruna provides PAC bypass, sandbox escape, PPL bypass, WebKit remote code execution, and kernel privilege escalation.
- The exploits are ineffective on recent iOS versions and can be blocked by private browsing or Apple’s Lockdown Mode.
- GTIG observed multiple users of Coruna, including UNC6353, UNC6691, and surveillance-vendor customers, using it for espionage and crypto-theft.