Zero‑Day iOS Exploit Kit “Coruna” Evolves from Operation Triangulation, Targeting iOS 13‑17.2.1
What Happened – Researchers at Kaspersky and Google’s Threat Intelligence Group identified a new iOS exploit kit, Coruna (aka CryptoWaters), that re‑uses and extends the kernel‑level zero‑day code first seen in the 2023 Operation Triangulation campaign. The kit bundles five exploit chains (23 individual exploits) and attacks iPhones running iOS 13.0 through 17.2.1, while being ineffective against the latest iOS release.
Why It Matters for TPRM –
- The kit is being sold and reused by multiple threat actors, indicating a thriving “zero‑day market” that can affect any third‑party that supplies iOS‑based applications or services.
- Organizations that rely on iOS devices for remote work, BYOD, or mobile‑first solutions face heightened risk of credential theft, data exfiltration, and espionage.
- The reuse of known vulnerabilities (CVE‑2023‑32434, CVE‑2023‑38606) shows that patch‑management alone may not protect against sophisticated exploit‑kit resale.
Who Is Affected – Mobile‑device‑dependent enterprises across finance, healthcare, government, and technology; vendors providing iOS apps, MDM solutions, or endpoint‑security services.
Recommended Actions –
- Verify that all iOS devices are running the latest OS version (iOS 17.3+ at time of writing).
- Review contracts with mobile‑app developers and MDM providers for zero‑day exploit‑kit usage clauses.
- Strengthen network‑level detection for Safari‑based stagers and anomalous JavaScript payloads.
- Ensure robust incident‑response playbooks for iOS‑focused attacks.
Technical Notes – The exploit chain begins with a Safari‑based stager that fingerprints the device, then selects one of five kernel exploits (including updated versions of CVE‑2023‑32434 and CVE‑2023‑38606). The kit has been observed in targeted surveillance operations, Ukrainian watering‑hole campaigns (UNC6353), and broad‑scale attacks by Chinese financial actor UNC6691. Source: SecurityAffairs