The Emergence of Coruna
Security researchers uncovered a sophisticated hacking toolkit named Coruna that exploits over 23 zero-day vulnerabilities within Apple’s iPhone software, actively deployed by espionage teams and cybercriminals, potentially tracing back to U.S. government development.
This exploit kit manifests a modular design, enabling attackers to customize their approach and choose the most effective payloads for surveillance and data theft. Analysts at iVerify noted that the toolkit exhibits characteristics consistent with tools used by U.S. intelligence, raising uncomfortable questions about its origins and availability.
Coruna’s Capabilities
Coruna is not merely a collection of hack tools; it integrates five comprehensive exploit chains adaptable to various iOS vulnerabilities. Its precision is marked by its ability to detect the specific iPhone model and operating system version prior to executing an attack. Once active, it facilitates unauthorized access to crucial device data, from messages to location history, and even allows control over the microphone and camera without any indication to the user.
In particular, the toolkit can infiltrate devices discreetly by avoiding user interactions, such as performing checks for Lockdown Mode. For instance, if a device has private browsing activated, Coruna aborts the attack, enhancing its stealthy operation and posing an ongoing risk to millions of users.
The toolkit has been linked to multiple cybercrime groups, including a Russian espionage organization, UNC6353, which used the toolkit to target Ukrainian websites. Meanwhile, a financially motivated Chinese actor, identified as UNC6691, leveraged the toolkit on counterfeit finance and cryptocurrency sites to extract sensitive financial data.
Cryptocurrency Interests
The Coruna exploit kit has particular implications for the cryptocurrency space by specifically targeting popular wallets and exchanges, including MetaMask, Trust Wallet, and Uniswap. Its capabilities extend to decoding QR codes, extracting cryptocurrency recovery phrases, and harvesting sensitive information from Apple’s memo application.
Research indicates that essentially every cryptocurrency application shop on iOS is vulnerable to this malicious toolkit, including the commonly used Trust Wallet, thereby exposing users to significant theft risk. The emergence signals heightened concerns as the crime landscape increasingly exploits vulnerabilities in digital finance.
The Response from Apple and Future Implications
In response to the exposure of these vulnerabilities, Apple has already issued patches for later versions of iOS. However, a significant number of devices running iOS versions 13 to 17.2.1 remain susceptible, potentially endangering tens of thousands of users globally.
Security experts underscore the evolving nature of cyber threats, particularly the emerging trend of “secondhand” exploits, where such sophisticated toolkits are traded among cybercriminals for financial gain. The implications could ripple through the cybersecurity sector, prompting urgent calls to bolster defenses and regulatory oversight within the growing cryptocurrency market.
