“Coruna" Exploit Kit
Lookout Coverage and Recommendation for Admins
To ensure your devices are protected from the Coruna exploit kit, Lookout admins should take the following steps in the Lookout Console:
- Enforce Minimum OS Versions:
- Configure the Out-of-date OS policy to require a minimum of iOS/iPadOS 17.4 or iOS 16.7.6 (for older devices).
- Set the response to "Block" for high-risk users to prevent non-compliant devices from accessing corporate resources.
- Enable Phishing & Content Protection (PCP):
- Since these exploits are delivered via malicious URLs, ensure PCP is enabled across the fleet.
- This allows Lookout to intercept the "Initial Access" vector (the malicious link) before the WebKit exploit can trigger.
- Since these exploits are delivered via malicious URLs, ensure PCP is enabled across the fleet.
- Monitor via Vulnerability Management:
- Use the Vulnerabilities dashboard to identify specific devices running the CVEs listed above.
- Filter for CVE-2023-43000 and CVE-2023-41974 to prioritize high-risk targets for immediate manual remediation.
Overview
Google’s Threat Intelligence Group (TAG) has recently disclosed a massive, multi-year exploit kit dubbed "Coruna." While these vulnerabilities reside in the WebKit and Kernel components of Apple’s operating systems, they are often delivered through browsers or embedded web-views.
The "Coruna" kit is a professional-grade "super-kit" containing 23 different exploits woven into five distinct chains. It allows attackers to mix and match vulnerabilities based on the specific version of iOS the victim is running (ranging from iOS 13 through iOS 17.2.1). While Apple fixed these in 2021 and 2023, many users—especially those on older hardware that cannot run iOS 18—remain easy targets for this "recycled" malware.
The "Links" in the Chain
Researchers found that these exploits moved from high-end "commercial surveillance" (government-level) to "second-hand" markets, where they are now being used by Chinese-linked groups for financial crimes like stealing crypto wallets. If successfully exploited, these vulnerabilities allow an attacker to move from a simple website visit to full control of your device:
- CVE-2021-30952: An integer overflow in WebKit (the engine behind Safari). It serves as the initial entry point, allowing the kit to break into browser memory when a user visits a malicious site.
- CVE-2023-41974: A Kernel "Use-After-Free" flaw. Once the browser is compromised, this bug is used for privilege escalation to gain "root" access, effectively giving the attacker total control over the device.
- CVE-2023-43000: A high-severity "Use-After-Free" flaw in WebKit. This is frequently used as an alternative initial access vector to cause memory corruption and execute arbitrary code.
On March 5, 2026, CISA officially added these CVEs to its "Known Exploited Vulnerabilities" (KEV) catalog. United States government organizations following CISA frameworks should have all vulnerable devices patched by March 26, 2026. While this mandate applies to federal agencies, enterprise organizations are strongly advised to follow the same timeline.
However, because these flaws (CVE-2023-41974, CVE-2021-30952, and CVE-2023-43000) are part of an active, multi-stage exploit chain used by sophisticated threat actors, CISA and security researchers strongly advise a much faster turnaround.
Lookout Analysis
From a Lookout analysis perspective, we are observing a significant shift in the adversary landscape: exploit chains traditionally reserved for highly targeted, nation-state attacks are now being utilized by lower-tier threat actors in a non-targeted, "spray-and-pray" fashion. This democratization of high-level exploits means that sophisticated techniques—once the exclusive domain of Advanced Persistent Threats (APTs)—are now surfacing in broader commodity campaigns.
Authors
Lookout
