Speculation about the origins of the Coruna exploit kit has been circulating since Google publicly described the tool earlier this month — and now Apple is responding directly to the threat it poses to older devices still in the field.
According to the announcement, Apple has backported a fix for CVE-2023-43010, a WebKit vulnerability that causes memory corruption when processing maliciously crafted web content. The flaw was originally patched in iOS 17.2 on December 11, 2023. The company confirmed the issue was addressed with improved handling, and that the latest update delivers that same fix to devices unable to run current iOS versions.
“This fix associated with the Coruna exploit kit was shipped in iOS 17.2 on December 11th, 2023,” Apple stated in an advisory. “This update brings that fix to devices that cannot update to the latest iOS version.”
What Coruna Actually Does
iOS 15.8.7 and iPadOS 15.8.7 go further — incorporating patches for three additional vulnerabilities tied to the same exploit kit. The scope of the kit itself is significant: Google’s earlier research described Coruna as featuring 23 exploits across five chains, targeting iPhone models running iOS versions 13.0 through 17.2.1.
iVerify is tracking the broader malware framework using the kit under the name CryptoWaters. The firm says it bears similarities to previous frameworks developed by threat actors affiliated with the U.S. government.
Two of Coruna’s exploits — CVE-2023-32434 and CVE-2023-38606 — were previously used as zero-days in Operation Triangulation, a 2023 campaign targeting users in Russia. That connection has fueled attribution speculation. The prevailing theory holds that Coruna was likely built by U.S. military contractor L3Harris and may have reached Russian exploit broker Operation Zero through Peter Williams, a former general manager at the firm sentenced last month to more than seven years in prison for selling exploits for payment.
More Read
Why Attribution Remains Unsettled
Kaspersky is cautious about drawing direct lines. Boris Larin, principal security researcher at Kaspersky GReAT, told a publication that shared vulnerability targeting does not constitute shared code. “Neither Google nor iVerify in their published research claims that Coruna reuses Triangulation’s code,” he said. “What they identify is that two exploits in Coruna — Photon and Gallium — target the same vulnerabilities. That’s an important distinction.”
Larin added that any sufficiently skilled team could independently develop exploits for flaws with publicly available implementations. “Despite our extensive research, we are unable to attribute Operation Triangulation to any known APT group or exploit development company,” he said.
Apple’s current update cycle brings the CVE-2023-43010 patch to older iOS and iPadOS versions not covered by previous releases, with iOS 15.8.7 and iPadOS 15.8.7 also addressing the three additional Coruna-linked vulnerabilities.
Photo by Fotografia Lui Vlad on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
