An exploit kit that may have originated from a leaked U.S. government framework is behind what researchers are calling the first mass-scale attack on iOS, the operating system for Apple’s iPhones.
Traces of the exploits, found in the work of Chinese cybercriminals, also have been spotted in Russian attacks on Ukraine and used by a customer of a spyware vendor.
Those conclusions come from two pieces of research that Google Threat Intelligence Group and iVerify released separately Tuesday. Rocky Cole, co-founder of iVerify, said it represented a potential “EternalBlue moment,” with echoes of that exploit software escaping the National Security Agency to fuel the global WannaCry ransomware and NotPetya attacks in 2017.
Google said that the so-called Coruna exploit kit that’s the subject of Tuesday’s research “provides another example of how sophisticated capabilities proliferate,” as it wrote in a blog post about the zero-day — or previously undisclosed and unpatched — exploits.
“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”
Said iVerify: “While iVerify has some evidence that this tool is a leaked U.S. government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”
Just last week, a U.S. court sentenced a former L3 Harris executive to prison for selling zero-day exploits to a Russian broker.
Both Google and iVerify connected the exploit kit to Operation Triangulation, which Russian cybersecurity firm Kaspersky said in 2023 had targeted the company and the Russian government attributed to the U.S. government. The NSA declined to comment on that allegation.
An Apple spokesperson didn’t respond to a request for comment Tuesday afternoon. Apple issued multiple patches in response to Operation Triangulation, and worked with Google on the newest research.
Spencer Parker, chief product officer at iVerify, said the attack affected at least 42,000 devices —a “massive number” for iOS, even if it sounds small to other platforms. That number has the potential to expand as researchers dive further into the technical details, Cole said.
Other signs point to U.S. development of the exploit kit, Cole said.
“The code base for the framework and the exploits was superb,” he said. “It was elegantly written. It’s fluid and holds together very well. There were comments in the code that, as someone who’s been around the U.S. defense industrial base for years, really are reminiscent of the sort of insider jokes and insider remarks that you might see from a U.S. based coder. Certainly they were native English language speakers.”
Google said it tracked the use of the exploit kit over the course of last year in operations from an unnamed customer of a surveillance vendor to attacks on Ukrainian users from a suspected Russian espionage group, before retrieving the complete exploit kit from a financially motivated group operating out of China.
Apple-focused security researcher Patrick Wardle observed on the social media site X about the Coruna research: “Turns out even lowly cybercriminals were (ab)using 0days to hack Apple devices.”
The post Possible U.S.-developed exploits linked to first known ‘mass’ iOS attack appeared first on CyberScoop.
–
Read More – CyberScoop
