Coruna Exploit Framework Reuses Zero‑Day Code from Operation Triangulation (CVE‑2023‑32434, CVE‑2023‑38606) Targeting iOS Devices
What It Is – The “Coruna” framework is a sophisticated iOS exploit kit that re‑uses kernel‑level zero‑day code originally seen in the Operation Triangulation APT campaign. It bundles exploits for CVE‑2023‑32434 and CVE‑2023‑38606, along with four additional kernel exploits, to deliver a spyware implant on iPhone devices.
Exploitability – The vulnerabilities have been publicly disclosed, but the Coruna kit demonstrates active, weaponised exploitation in the wild. No public PoC beyond the kit itself, but the presence of live distribution links indicates ongoing threat. CVSS (estimated) ≈ 9.8 (Critical).
Affected Products – Apple iPhone devices running iOS versions vulnerable to CVE‑2023‑32434 and CVE‑2023‑38606 (typically iOS < 17.2).
TPRM Impact – Organizations that rely on mobile devices for corporate access (e.g., BYOD, mobile workforce, MDM‑managed fleets) face a supply‑chain‑style risk: a third‑party surveillance vendor’s code can be repurposed and sold to other threat actors, potentially compromising employee devices and corporate data.
Recommended Actions –
- Verify that all iOS devices are patched to the latest version that mitigates CVE‑2023‑32434 and CVE‑2023‑38606.
- Review contracts with any mobile‑device‑management or surveillance‑technology providers for clauses on zero‑day usage and disclosure.
- Deploy network‑level detection for known Coruna C2 indicators (domains, URLs) and block them.
- Conduct a mobile‑security audit of third‑party apps and SDKs used in your environment.
- Update incident‑response playbooks to include iOS kernel‑exploit scenarios.
Source: SecureList – Coruna Framework Updated – Operation Triangulation Exploit