Coruna: the explosive kit that could raise privileges to kernel in iOS and why emergency patches are required

The U.S. Infrastructure and Cybersecurity Security Agency (CISA) has ordered that federal agencies immediately correct three vulnerabilities of iOS that are part of an operating kit known as Coruna. This movement is not just an administrative measure: it reflects the gravity of a tool that, according to intelligence analysis, allows attackers to raise privileges on Apple devices to kernel levels and run code remotely through the browser.

Coruna is not a simple isolated explosion, but a complex set of attack chains that takes advantage of numerous failures in WebKit and other components of the operating system. Researchers have identified that the kit integrates mechanisms to remove modern defence elements: from circumvention of point authentication to breaking of sandbox barriers and protecting pages with PPL. In practice, this means that a unprevented user who visits a malicious web may be silently compromised and lose control over his device.

Google experts and other firms have followed Coruna's evolution and documented its use in real attacks, including cyber-espionage campaigns and operations to steal cryptomonedas. In some cases, the attackers took advantage of fraudulent sites - with a gambling theme or cryptocurrency - as decoy to take the explosion to the victim and then deploy loads designed to empty digital coins. You can see the CISA note on the inclusion of these failures in its catalogue of vulnerabilities exploited in production in the public alert of CISA and see more technical context in the report of a firm that has followed the case iVerify.

To put numbers on the table: CISA added three specific identifiers to its catalogue of known exploited vulnerabilities and required federal civil agencies to apply patches or mitigations before a deadline. This type of directive is in line with BOD 22-01 and seeks to reduce the exposure window in high-risk environments. Public references for each EQO are available in the MITRE register, for example CVE-2023-41974, CVE-2021-30952 and CVE-2023-43000.

There are two practical elements that need to be understood: on the one hand, many of the vulnerabilities exploited by Coruna were used as "zero- days," that is, before patches were available. On the other hand, not all iOS configurations are equally vulnerable today. The latest versions of the operating system incorporate corrections and mitigation that prevent the kit from operating in many cases; in addition, specific modes of use such as private navigation and Apple's Lockdown Mode introduce additional barriers that can block these operating chains.

Lockdown Mode and private navigation are not magical solutions, but significantly reduce the attack surface. Apple designed Lockdown Mode precisely for users facing very targeted threats: it restricts functionalities that often use the exploit kits and advanced surveillance. However, the most reliable and general protection remains to keep the system up-to-date with the official patches that Apple regularly publishes.

Another relevant aspect is the provenance and use of the kit. Groups of different profiles have taken advantage of Coruna: from operators linked to commercial surveillance services to actors allegedly supported by states and criminal gangs with financial motivation. This transit - from tools originally developed by state-owned surveillance providers and then to massive cybercrime operations - highlights a worrying pattern: what is born as intelligence technology can be leaked and become a weapon of general use.

For organizations and users, the recommendation is clear and practical: prioritize the application of patches and follow the manufacturer's mitigation guides. In the case of the public sector, the obligation is laid down by the directive. For the private sector and the general public, the urgency comes from experience: the exploits kits evolve fast and the effective defence window is small. CISA, in addition to ordering the correction, advises that, if no mitigation is available, the use of the product concerned is suspended until the situation is resolved.

Beyond the immediate technical reaction, this episode invites you to reflect on the safety of the mobile ecosystem. The smartphones now concentrate critical information and high-value digital assets, such as cryptomoneda keys. The convergence of complex browsers, rendering engines such as WebKit and advanced operating system capabilities creates attack vectors that require a coordinated response between manufacturers, agencies and security companies. Independent public reports and analysis - such as those cited by CISA, iVerify and research groups - help to understand the real scope of the threat and to make informed decisions; it is good practice to consult them.

If you want to deepen the official pieces mentioned in this article, you can review CISA's warning about these vulnerabilities in your website, the technical entry of iVerify over Coruna in your blog and the CVE chips in the MITRE repository in cve.mitre.org. Keep teams up to date and take preventive measures like Lockdown Mode when appropriate are the best defenses today. Mobile security is a constant race: winning depends on who updates first.