CISA warns feds to patch iOS flaws exploited in crypto-theft attacks

BREAKING: CISA Sounds Alarm Over Sophisticated iOS Spyware Kit Used in State-Sponsored and Crypto-Theft Attacks

In a stark warning that underscores the escalating cyber arms race, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive to federal agencies to patch three critical iOS vulnerabilities that are actively being exploited in the wild. These flaws are part of a highly advanced exploit toolkit known as Coruna, a “spyware-grade” cyber weapon that has rapidly evolved from the domain of commercial surveillance vendors into the arsenals of nation-state actors and financially motivated cybercriminals alike.

What is Coruna? A Spyware Kit on Steroids

Coruna is not your average malware toolkit. According to Google’s Threat Intelligence Group (GTIG), this exploit kit leverages 23 iOS vulnerabilities, many of which were previously unknown and exploited in zero-day attacks. The toolkit is designed to deliver a devastating combination of capabilities: Pointer Authentication Code (PAC) bypass, sandbox escape, Page Protection Layer (PPL) bypass, WebKit remote code execution, and privilege escalation to Kernel level. In simpler terms, it can break through Apple’s most robust security layers, giving attackers near-total control over infected devices.

From Surveillance to Crypto-Theft: The Expanding Threat Landscape

Originally developed for commercial surveillance, Coruna has now been observed in the hands of multiple threat actors. These include a suspected Russian state-backed hacking group (UNC6353), a Chinese financially motivated threat actor (UNC6691), and even a surveillance vendor’s customer. The Chinese actor, in particular, has used Coruna to deploy fake gambling and cryptocurrency websites, tricking victims into downloading malware that steals their digital wallets.

Mobile security firm iVerify has described Coruna as a chilling example of how sophisticated spyware capabilities are migrating from commercial vendors into the hands of both nation-state actors and mass-scale criminal operations. This evolution marks a dangerous new chapter in cyber warfare, where tools once reserved for intelligence agencies are now being weaponized for profit and espionage on a global scale.

CISA’s Urgent Call to Action

On Thursday, CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, mandating that Federal Civilian Executive Branch (FCEB) agencies patch their devices by March 26, 2026, as required by Binding Operational Directive (BOD) 22-01. The vulnerabilities in question are:

• CVE-2023-41974
• CVE-2021-30952
• CVE-2023-43000

CISA’s warning is clear: “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The agency emphasized that these vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

While BOD 22-01 applies only to federal agencies, CISA is urging all organizations—including private sector companies—to prioritize patching these flaws immediately. The message is unequivocal: delay is not an option.

Who is at Risk?

The good news is that Coruna’s exploits are not effective against recent versions of iOS. Additionally, if users are browsing in private mode or have Apple’s Lockdown Mode anti-spyware protection enabled, they are shielded from these attacks. However, for those running older iOS versions or without these protections, the risk remains high.

The Bigger Picture: A Cyber Arms Race

The emergence of Coruna is a stark reminder of the rapidly evolving cyber threat landscape. What was once the exclusive domain of intelligence agencies and commercial surveillance firms is now accessible to a broader range of actors, from state-sponsored hackers to cybercriminals seeking financial gain. This democratization of cyber weapons poses a grave challenge to global cybersecurity, as the barriers to entry for sophisticated attacks continue to fall.

What You Can Do

If you’re an individual user, ensure your iOS device is running the latest version of the operating system and consider enabling Lockdown Mode if you believe you may be a target. For organizations, especially those in the federal sector, immediate action is critical. Patch the vulnerabilities, review your security posture, and stay vigilant against phishing and other social engineering tactics that could deliver these exploits.

Final Thoughts

The Coruna exploit kit is a wake-up call for governments, businesses, and individuals alike. It highlights the need for proactive cybersecurity measures, timely patching, and a collective effort to stay ahead of increasingly sophisticated threats. As CISA has made clear, the cost of inaction is simply too high.

Tags: CISA, iOS, Coruna, spyware, zero-day, cybersecurity, crypto-theft, nation-state, Apple, Lockdown Mode, PAC bypass, sandbox escape, PPL bypass, WebKit, Kernel, vulnerabilities, patching, federal agencies, Russian hackers, Chinese threat actors, iVerify, GTIG, Binding Operational Directive, BOD 22-01, Known Exploited Vulnerabilities, malware, surveillance, cyber arms race, phishing, social engineering, private browsing, exploit kit, cyber warfare, digital wallets, gambling sites, state-sponsored, financially motivated, cybercriminal, global cybersecurity, proactive security, timely patching, collective effort, sophisticated threats, high cost of inaction.

Viral Sentences:

• “CISA orders federal agencies to patch iOS flaws as Coruna exploit kit targets crypto wallets!”
• “Spyware-grade toolkit Coruna now in hands of nation-state actors and cybercriminals!”
• “Russian and Chinese hackers weaponize Coruna for state espionage and crypto theft!”
• “Apple’s Lockdown Mode your only shield against Coruna’s advanced iOS exploits!”
• “23 iOS vulnerabilities exploited by Coruna—patch now or risk total device compromise!”
• “From surveillance vendor to global cyber threat: Coruna’s dangerous evolution!”
• “Federal agencies given March 26 deadline to secure devices from Coruna attacks!”
• “CISA sounds alarm: Coruna’s PAC bypass and sandbox escape capabilities unmatched!”
• “iVerify warns: Coruna marks new era of democratized cyber weapons!”
• “Don’t wait—update iOS and enable Lockdown Mode to block Coruna exploits!”

,