A Possible US Government iPhone-Hacking Toolkit Is Now In the Hands of Foreign Spies, Criminals (wired.com) 39
Security researchers say a highly sophisticated iPhone exploitation toolkit dubbed "Coruna," which possibly originated from a U.S. government contractor, has spread from suspected Russian espionage operations to crypto-stealing criminal campaigns. Apple has patched the exploited vulnerabilities in newer iOS versions, but tens of thousands of devices may have already been compromised. An anonymous reader quotes an excerpt from Wired's report: Security researchers at Google on Tuesday released a report describing what they're calling "Coruna," a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.
In fact, Google traces components of Coruna to hacking techniques it spotted in use in February of last year and attributed to what it describes only as a "customer of a surveillance company." Then, five months later, Google says a more complete version of Coruna reappeared in what appears to have been an espionage campaign carried out by a suspected Russian spy group, which hid the hacking code in a common visitor-counting component of Ukrainian websites. Finally, Google spotted Coruna in use yet again in what seems to have been a purely profit-focused hacking campaign, infecting Chinese-language crypto and gambling sites to deliver malware that steals victims cryptocurrency.
Conspicuously absent from Google's report is any mention of who the original surveillance company "customer" that deployed Coruna may have been. But the mobile security company iVerify, which also analyzed a version of Coruna it obtained from one of the infected Chinese sites, suggests the code may well have started life as a hacking kit built for or purchased by the US government. Google and iVerify both note that Coruna contains multiple components previously used in a hacking operation known as "Triangulation" that was discovered targeting Russian cybersecurity firm Kaspersky in 2023, which the Russian government claimed was the work of the NSA. (The US government didn't respond to Russia's claim.)
Coruna's code also appears to have been originally written by English-speaking coders, notes iVerify's cofounder Rocky Cole. "It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," Cole tells WIRED. "This is the first example we've seen of very likely US government tools -- based on what the code is telling us -- spinning out of control and being used by both our adversaries and cybercriminal groups." Regardless of Coruna's origin, Google warns that a highly valuable and rare hacking toolkit appears to have traveled through a series of unlikely hands, and now exists in the wild where it could still be adopted -- or adapted -- by any hacker group seeking to target iPhone users. "How this proliferation occurred is unclear, but suggests an active market for 'second hand' zero-day exploits," Google's report reads. "Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities."
In fact, Google traces components of Coruna to hacking techniques it spotted in use in February of last year and attributed to what it describes only as a "customer of a surveillance company." Then, five months later, Google says a more complete version of Coruna reappeared in what appears to have been an espionage campaign carried out by a suspected Russian spy group, which hid the hacking code in a common visitor-counting component of Ukrainian websites. Finally, Google spotted Coruna in use yet again in what seems to have been a purely profit-focused hacking campaign, infecting Chinese-language crypto and gambling sites to deliver malware that steals victims cryptocurrency.
Conspicuously absent from Google's report is any mention of who the original surveillance company "customer" that deployed Coruna may have been. But the mobile security company iVerify, which also analyzed a version of Coruna it obtained from one of the infected Chinese sites, suggests the code may well have started life as a hacking kit built for or purchased by the US government. Google and iVerify both note that Coruna contains multiple components previously used in a hacking operation known as "Triangulation" that was discovered targeting Russian cybersecurity firm Kaspersky in 2023, which the Russian government claimed was the work of the NSA. (The US government didn't respond to Russia's claim.)
Coruna's code also appears to have been originally written by English-speaking coders, notes iVerify's cofounder Rocky Cole. "It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," Cole tells WIRED. "This is the first example we've seen of very likely US government tools -- based on what the code is telling us -- spinning out of control and being used by both our adversaries and cybercriminal groups." Regardless of Coruna's origin, Google warns that a highly valuable and rare hacking toolkit appears to have traveled through a series of unlikely hands, and now exists in the wild where it could still be adopted -- or adapted -- by any hacker group seeking to target iPhone users. "How this proliferation occurred is unclear, but suggests an active market for 'second hand' zero-day exploits," Google's report reads. "Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities."
Oops! (Score:4, Insightful)
The good guys need these tools to stop the bad guys. But we never counted on the "good" guys being incompetent.
Don't worry folks, we'll solve the problems by adding even more surveillance to the state.
Re: (Score:3, Insightful)
Just repeat the arguments against "golden key" "lawful access" encryption.
Same thing applies here and this is even a real world example for anyone to point to if evidence needs to be provided.
Re: (Score:1)
"Golden key"? You mean the master key the governments of the world have?
No government will let an encryption scheme into general use that they can't open/decrypt.
Re: (Score:2)
They can't get "lawful access" if either the company or LEOs doesn't have that "golden key".
They wouldn't be able to see that some Telegram user was discussing a terrorism plot tomorrow, unless ECHELON or similar places had they key already and simply decrypted it, scanned the contents for keywords, and re-encrypted it and let it go on its way.
Re:Oops! (Score:5, Insightful)
There are no "good guys" in this business.
All this has been chewed on since forever, and from the point of general security the case has been settled decades ago.
if you find a bug and don't report it, it will eventually come to bite you in the ass, in proportion with the popularity of the platform the bug is deployed on.
Nobody has ever demonstrated a case where hiding a bug on a popular platform to "catch the bad guys" has brought more good than bad.
But the powers that be cannot refrain from going the easier, more harmful way, because they bear no responsibility for the costs they inflict, even more so since certain "immunitay" and "pardon" decisions were made.
Congratulations and be ready for more.
Re: (Score:2, Troll)
There are no "good guys" in this business.
No, but there are guys on your side and it's always better for you if they are better than the opposition. I can understand if, at this point when there's a military operation ongoing by a person with literal crusader tattoos and with officers reporting to him apparently explicitly briefing the hope that the operation will trigger the end of the world, some Americans don't think that the people on their side are the US security forces, however that doesn't change the point.
Nobody has ever demonstrated a case where hiding a bug on a popular platform to "catch the bad guys" has brought more good than bad.
I will give one exception to this
Re: (Score:2, Insightful)
the situation where the vulnerability finders have already reported it to the vendor
This is so obviously not the situation under discussion here, when we have someone's hiding it for nefarious purposes that I'm not even sure why it is even brought up. Staying on topic appears to be of late a rare skill that is increasingly hard to master.
Re: (Score:1)
Staying on topic appears to be of late a rare skill that is increasingly hard to master.
Cognitive dissonance rules Slashdot. Everyone wants to believe they're smarter than everyone else, and they believe smart people don't make mistakes (which alone proves they aren't smart) so they don't believe they could be wrong. The general unwillingness to admit one is wrong is the semaphore symptom. Someone will straight tell you that they know what they're talking about and you don't, then you will destroy their argument and then they just go away until the next time they decide to insult your intellig
Re: (Score:1)
Yeah. Most of the time I'm not even motivated to get into an argument anymore, it is, like, their opinion, man.
Re: (Score:2)
Its becoming increasingly clear th
Re: (Score:2)
Re: (Score:2)
They're fascinated with the monster they see, and thus, think they can defeat: They never prepare for failure and consequences. Mostly because, as you note, it isn't a personal cost.
Re: (Score:2)
Nobody has ever demonstrated a case where hiding a bug on a popular platform to "catch the bad guys" has brought more good than bad.
Well..they could tell you about it. But policy dictates they'd have to kill you first.
Which would kinda make you wonder who the good guy was all along..understandably.
Re: (Score:2)
Well, they wouldn't, would they. We don't generally hear about successful intelligence operations. We certainly won't hear about any where revealing the success would compromise the tool that brought it about.
Re: (Score:1)
We don't generally hear about successful intelligence operations.
What intelligence is there under the surfing woman?
Re: (Score:2)
Re: (Score:2)
"Nobody has ever demonstrated a case where hiding a bug on a popular platform to "catch the bad guys" has brought more good than bad."
Well, they wouldn't, would they. We don't generally hear about successful intelligence operations. We certainly won't hear about any where revealing the success would compromise the tool that brought it about.
We heard about one yesterday.
Hacked Tehran Traffic Cameras Fed Israeli Intelligence Before Strike On Khamenei [slashdot.org]
To be fair, the security cameras used in Iran probably aren't used elsewhere, and there isn't enough detail to know if they compromised them through vulns or through gaining passwords by physical infiltration, turning foreign agents, compromising people with access, computer hacking, or other means. So I guess there's some possibility that knowing about it wouldn't compromise the tools used to gai
Re: (Score:1)
I think another reason it didn't need to be secret was that the people who would have needed to know are now dead. Plus, the lack of details you noted. That they took over the cameras doesn't tell you much about how, and the how is the secret bit.
Re: (Score:2)
I preferred the old days (Score:2)
I remember when crooks had to actually find and remove tangible items - money, or jewellery and other goods - in order to steal wealth. Then came credit card theft which, bad though it was, had nothing on the cyber-theft described in TFA.
Additionally, it's oh-so-nice to learn that the US government probably funded the development of this hacking tool. American tax dollars at work helping criminals - gotta love it.
The world sure is a crazy place these days...
Re: (Score:3)
Additionally, it's oh-so-nice to learn that the US government probably funded the development of this hacking tool.
Don't forget that it's probably also only possible because they are withholding knowledge of zero-days. The NSA's stated job is to protect our nation's communications, then they find vulnerabilities and don't report them so they can use them as back doors, completely betraying their mission and therefore also the American people.
Criminals? (Score:1)
Crime apparently pays very well (Score:2)
No those a true patriots. And if you disagree we will send ICE over to your house to check your papers.
Nothing to hide (Score:1)
I don’t care. I have nothing to hide, and I’m not a billionaire nor a celebrity. :-)
JS (Score:2)
Yet again, all the articles on this say "patch, patch patch!".
They don't RTFA.
"The exploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript obfuscation techniques."
Disable JS on Safari to avoid the next exploit too.
Pickin' nits (Score:2)
"Built for", means they paid a vendor for it. "Purchased by", means they paid a vendor for it.
I think what they meant was, "a hacking kit built or purchased by the US government." That would mean that either they bought it or one of the agencies built it themselves, which fits the implication that it was created by an entity with state-level resources.
Information wants to be free (Score:2)
When useful tools are used often enough to be known, it's natural someone will collect then use them.
sloppy (Score:2)
Poor tradecraft.
"we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names."
Apple has patched all the exploits, and automatic system updates were enabled by default in 2023.
"The exploit kit is able to target various iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023)"