# CISA Issues Urgent Alert: Apple Flaws Exploited by Sophisticated Spyware and Crypto-Theft Attacks
In a recent warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), federal agencies are ordered to patch three iOS security flaws that have been targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. The agency's alert comes after Google Threat Intelligence Group (GTIG) researchers revealed that Coruna uses multiple exploit chains targeting 23 iOS vulnerabilities, many of which were deployed in zero-day attacks.
The Coruna exploit kit provides threat actors with advanced capabilities, including Pointer Authentication Code (PAC) bypass, sandbox escape, and PPL (Page Protection Layer) bypass. This allows them to gain WebKit remote code execution and escalate permissions to Kernel privileges on vulnerable devices. GTIG observed the exploit kit being used by multiple threat actors last year, including a surveillance vendor customer, a suspected Russian state-backed hacking group (UNC6353), and a financially motivated Chinese threat actor (UNC6691).
The latter deployed Coruna on fake gambling and crypto websites and used it to deliver a malware payload designed to steal infected victims' cryptocurrency wallets. Mobile security firm iVerify described Coruna as "sophisticated spyware-grade capabilities" that have migrated from commercial surveillance vendors into the hands of nation-state actors and mass-scale criminal operations.
CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by March 26 as mandated by the Binding Operational Directive (BOD) 22-01. The agency warned that these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Although BOD 22-01 applies only to federal agencies, CISA urged all organizations, including private sector companies, to prioritize patching these flaws to secure their devices against attacks as soon as possible. As the threat landscape continues to evolve, it is essential for all organizations to stay vigilant and take proactive measures to protect themselves against sophisticated threats like Coruna.
In related news, CISA has recently flagged VMware Aria Operations RCE flaw as exploited in attacks, and recently patched RoundCube flaws now exploited in attacks. The agency also warned of Predator spyware that hooks iOS SpringBoard to hide mic, camera activity. It is crucial for organizations to stay informed about the latest vulnerabilities and exploits to prevent falling victim to these types of threats.
To mitigate the risks associated with Coruna, organizations can take several steps:
1. Apply the available security patches for iOS as soon as possible. 2. Enable Apple's Lockdown Mode anti-spyware protection feature on all devices. 3. Use private browsing mode when accessing sensitive information online. 4. Regularly scan devices and networks for malware and vulnerabilities.
By taking these proactive measures, organizations can significantly reduce their risk of falling victim to Coruna-style attacks.