Zero‑Click iOS Exploit Framework “Coruna” Evolves from Operation Triangulation, Targets Apple A17 & M3 Chips
What Happened – Researchers at Kaspersky disclosed a new iOS exploit kit named Coruna. It builds on the zero‑click iMessage chain used in the 2023 Operation Triangulation campaign and now supports Apple A17, M3‑series chips and iOS 17.2, leveraging 23 vulnerabilities (including CVE‑2023‑32434 and CVE‑2023‑38606).
Why It Matters for TPRM –
- Zero‑click exploits bypass user interaction, exposing any organization that permits iOS devices to access corporate resources.
- The framework’s expansion to newer hardware widens the attack surface for vendors supplying mobile‑device management (MDM) or enterprise apps.
- Its reuse in financially‑motivated crypto‑theft campaigns shows a shift from pure espionage to broader criminal activity, increasing risk to third‑party data pipelines.
Who Is Affected – Enterprises across all sectors that allow iOS devices (iPhone, iPad) to connect to corporate networks, especially those using MDM, VPN, or internal web portals.
Recommended Actions –
- Verify that all iOS endpoints run a version newer than the listed vulnerable ranges (iOS ≥ 17.2).
- Ensure MDM solutions enforce strict code‑signing and sandboxing policies.
- Review contracts with mobile‑device vendors for clauses on zero‑day remediation and rapid patch delivery.
Technical Notes – The attack initiates in Safari with a stager that fingerprints the device, selects appropriate kernel RCE and PAC exploits, then downloads encrypted payloads (ChaCha20‑encrypted, LZMA‑compressed). It selects exploits based on architecture (ARM64/ARM64E) and chip generation (A17, M3, M3 Pro/Max). The kit contains five full exploit chains covering 23 CVEs, many of which are zero‑day or unpatched. Source: BleepingComputer