Introduction
Recent findings from Kaspersky have revealed that the "Coruna" iOS exploit kit, detected in widespread mass attacks, is not entirely new code. Instead, it reuses and updates kernel-level exploit code from the notorious 2023 "Operation Triangulation" campaign.
For defenders, this is a critical reminder that the cybercriminal ecosystem is efficient. Successful exploits are rarely discarded; they are refined, updated, and redeployed. This repurposing of high-value kernel vulnerabilities indicates that threat actors are actively leveraging known attack vectors to compromise iOS devices. Understanding this evolution is essential for protecting enterprise mobility environments against sophisticated, persistent threats.
Technical Analysis
The Coruna kit leverages kernel security vulnerabilities that grant attackers unprecedented privileges on the device. According to the analysis, the core code within Coruna is an updated version of the exploits used in Triangulation (2023). This suggests that the underlying vulnerability may have been insufficiently patched, or that the code has been modified to bypass newer security mitigations introduced by Apple.
- Affected Systems: Apple iPhones and iPads running vulnerable versions of iOS/iPadOS.
- Severity: Critical. Kernel-level exploitation leads to total device compromise, including bypassing sandboxing, accessing sensitive data (keychains, messages, location), and installing persistent spyware.
- Attack Vector: Similar to Triangulation, Coruna is often delivered via zero-click exploits, typically through malicious iMessage attachments or specifically crafted messages that require no user interaction to execute.
- Patch Status: Apple has historically addressed Triangulation-related vulnerabilities in rapid security updates. Organizations must assume that active exploitation targets unpatched devices running outdated iOS versions.
Defensive Monitoring
To detect compromised devices or verify patch status, security teams should utilize Mobile Device Management (MDM) solutions and Endpoint Detection and Response (EDR) tools like Microsoft Defender for Endpoint.
Detecting Vulnerable iOS Versions (KQL)
Use the following KQL query in Microsoft Sentinel or Microsoft Defender to identify devices running iOS versions that may be susceptible to older Triangulation-style vulnerabilities or lack the latest security patches.
DeviceInfo
| where OSType == "iOS" or OSType == "iPadOS"
| where OSVersion < "20.3" // Adjust version based on latest patch release for Coruna/Triangulation
| project DeviceName, OSVersion, DeviceId, LastSeen
| order by OSVersion asc
Compliance Check via PowerShell (Graph API)
The following PowerShell script connects to the Microsoft Graph API to retrieve a list of iOS-managed devices and checks their OS versions against a compliance baseline. This helps identify devices that need immediate updates.
# Requires MS Graph PowerShell module installed
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
$CompliantOSVersion = "20.3" # Define your minimum secure OS version
$Devices = Get-MgDeviceManagementManagedDevice -Filter "(operatingSystem eq 'iOS' or operatingSystem eq 'iPadOS')"
foreach ($Device in $Devices) {
if ([version]$Device.OSVersion -lt [version]$CompliantOSVersion) {
Write-Host "WARNING: $($Device.DeviceName) is running vulnerable OS version $($Device.OSVersion)" -ForegroundColor Red
}
}
Remediation
Given the severity of kernel-level exploits, immediate action is required to secure the enterprise mobile fleet.
-
Patch Immediately: Ensure all iOS devices are updated to the latest version of iOS/iPadOS. The Coruna kit relies on specific kernel vulnerabilities; applying the latest Apple security patches is the only reliable way to neutralize the threat.
-
Enforce MDM Compliance Policies: Configure your Mobile Device Management (Intune, Jamf, etc.) to block access to corporate resources (Exchange, SharePoint, VPN) if the device OS version is below a specific threshold. This creates a "patch or lose access" enforcement mechanism.
-
Enable Lockdown Mode: For high-risk users (executives, sensitive roles), enable Lockdown Mode on iOS. This feature significantly reduces the attack surface by strictly restricting web browsing and messaging functionalities, effectively neutralizing many zero-click exploits like those used in Triangulation and Coruna.
-
Audit Messaging Logs: While difficult for standard admins, ensure EDR solutions are monitoring for unusual process execution or unexpected configuration changes related to the Messages app or system daemons.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.