Apple backports Coruna exploit fixes to older iPhones and iPads

Apple has released security updates for older iPhones and iPads to address vulnerabilities associated with the “Coruna” iOS exploit kit, a sophisticated exploitation framework previously linked to espionage and cryptocurrency theft campaigns.

The fixes arrive in iOS 16.7.15, iPadOS 16.7.15, iOS 15.8.7, and iPadOS 15.8.7, and backport patches for several vulnerabilities that were originally addressed in newer versions of iOS.

Apple says the updates include fixes related to the Coruna exploit toolkit, which security researchers recently linked to a broad iOS exploitation platform capable of chaining together multiple vulnerabilities to fully compromise targeted devices.

The iOS 16.7.15 and iPadOS 16.7.15 updates patch CVE-2023-43010, a WebKit vulnerability that could allow memory corruption when processing maliciously crafted web content. Apple states that the issue was resolved by improving memory handling.

The flaw had already been fixed in iOS 17.2, released in December 2023, but the new update extends the protection to older devices that cannot upgrade beyond iOS 16. According to Apple, the vulnerability affected legacy devices, including the iPhone 8, iPhone 8 Plus, iPhone X, the 5th-generation iPad, and earlier iPad Pro models.

Apple also issued iOS 15.8.7 and iPadOS 15.8.7 to address several vulnerabilities associated with the same exploit framework on even older hardware.

Among them is CVE-2023-41974, a kernel use-after-free flaw discovered by security researcher Félix Poulin-Bélanger. If exploited, the vulnerability could allow a malicious application to execute arbitrary code with kernel privileges. Apple originally fixed the bug in iOS 17 in September 2023.

Two additional WebKit vulnerabilities were patched as part of the update:

• CVE-2024-23222 – a type confusion bug that could allow arbitrary code execution when processing malicious web content.
• CVE-2023-43000 – a WebKit use-after-free memory corruption vulnerability.

Each of these issues had previously been addressed in newer versions of iOS between mid-2023 and early 2024, but had not yet been backported to older systems.

The Coruna exploit kit

The fixes come shortly after Google’s Threat Intelligence Group (GTIG) revealed details about Coruna, an advanced exploit kit capable of targeting iPhones running iOS 13 through iOS 17.2.1.

According to Google’s investigation, Coruna uses a malicious web page to fingerprint a visitor’s device before delivering a tailored exploit chain that combines WebKit remote code execution, sandbox escapes, and kernel privilege escalation vulnerabilities. The framework relies on obfuscated JavaScript to deploy encrypted payloads disguised as .min.js files that contain compressed binary exploit components.

The attack chains uncovered by researchers included multiple vulnerabilities now patched by Apple, such as CVE-2024-23222 and CVE-2023-43000.

Google linked different deployments of the exploit kit to separate threat actors. One campaign targeting Ukrainian websites was attributed to UNC6353, a suspected Russian state-aligned espionage group, while a separate operation using fake cryptocurrency websites was linked to UNC6691, a financially motivated actor believed to operate from China.

Once exploitation succeeds, the attack deploys a loader known as PlasmaLoader (PLASMAGRID) that injects itself into the powerd system daemon and searches the device for cryptocurrency wallet credentials, seed phrases, and QR codes.