Spyware-grade exploit infrastructure, once the domain of commercial surveillance vendors, has increasingly been repurposed by state-linked actors and financially motivated criminal groups — and federal agencies are now formally on notice to respond.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch agencies to patch three iOS vulnerabilities by March 26, after researchers identified them as active components of the Coruna exploit kit. The directive was issued under Binding Operational Directive 22-01, which requires patching of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog.
Coruna is a notably capable exploit kit. According to the announcement, Google Threat Intelligence Group (GTIG) researchers found it employs multiple exploit chains targeting 23 iOS vulnerabilities, several of which were used in zero-day attacks. The kit provides Pointer Authentication Code bypass, sandbox escape, and Page Protection Layer bypass capabilities, while also enabling WebKit remote code execution and kernel privilege escalation on vulnerable devices.
Multiple Threat Actors, Overlapping Objectives
GTIG observed Coruna in use by at least three distinct actors last year: a surveillance vendor customer, a suspected Russian state-backed group tracked as UNC6353, and a financially motivated Chinese threat actor designated UNC6691. The last of these deployed the kit through fake gambling and cryptocurrency websites, using it to deliver malware that stole victims’ cryptocurrency wallets.
Mobile security firm iVerify described Coruna as an example of “sophisticated spyware-grade capabilities” that migrated “from commercial surveillance vendors into the hands of nation-state actors and, ultimately, mass-scale criminal operations.” The characterization reflects a broader pattern in which capabilities originally developed for targeted espionage are later absorbed into higher-volume criminal operations.
There are meaningful constraints on Coruna’s reach. The report notes the exploits will not function on recent versions of iOS, and are blocked if the target uses private browsing or has enabled Apple’s Lockdown Mode feature.
More Read
Scope of the Federal Order
Of the 23 vulnerabilities associated with Coruna, CISA added three to its Known Exploited Vulnerabilities catalog on Thursday, triggering the mandatory remediation deadline. The agency’s guidance directs agencies to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use of the product where mitigations are unavailable.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA stated. While the binding directive applies exclusively to federal agencies, CISA extended its recommendation to private sector organizations and all other entities, urging them to prioritize patching as soon as possible.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
