CISA Orders Feds to Patch iOS Flaws

CISA's directive places these vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, a curated list of flaws with evidence of active, real-world attacks. Federal Civilian Executive Branch agencies are mandated under BOD 22-01 to patch these specific flaws by March 26 to mitigate the immediate risk. The "Coruna" kit is a highly engineered framework bundling five full exploit chains and a total of 23 exploits. This collection allows it to target a vast range of iPhones running iOS versions from 13.0, released in September 2019, up to 17.2.1 from December 2023. The exploit kit has uniquely proliferated across different types of threat actors. Google's Threat Intelligence Group first observed it used by a commercial surveillance vendor's client, then by a suspected Russian state-sponsored group (UNC6353) in attacks against Ukrainian targets, and finally by a Chinese financially motivated criminal group (UNC6691). This migration from targeted espionage to broader criminal campaigns highlights a potential secondary market for zero-day exploits. In the hands of financial criminals, the kit was deployed on fake cryptocurrency and gambling websites. Hidden iFrames on these sites would deliver the exploit chain to visiting iPhones, ultimately deploying malware that could steal sensitive data from cryptocurrency wallet apps. The PPL (Page Protection Layer) bypass is particularly significant for Apple's architecture. On A12 and newer chips, PPL acts as a "kernel within the kernel," a security boundary designed to protect page tables from being modified even if an attacker gains kernel-level execution privileges. Bypassing it defeats a core tenet of the platform's security model. While potent, the Coruna kit is not effective against the latest versions of iOS. The framework is also engineered to check for and abort the attack if it detects that the target device has Apple's high-security Lockdown Mode enabled or is using private browsing.