Apple is urging iPhone users to update their devices immediately following revelations of sophisticated hacking tools, dubbed DarkSword and Coruna, being used to compromise older iOS versions. Cybersecurity research from Google, iVerify, and Lookout has detailed how these exploit kits can grant attackers extensive remote access, allowing them to snoop through a device’s contents.
Sophisticated Exploit Kits Threaten Older iPhones
The exploit kits, DarkSword and Coruna, represent a significant advancement in mobile cyber threats. iVerify reports that DarkSword is particularly adept at surveillance and intelligence gathering, capable of covertly extracting a wide array of data. This includes Wi-Fi passwords, text messages, call history, location data, browser history, SIM card and cellular information, as well as sensitive data from health, notes, and calendar databases.
Sarah O’Rourke, an Apple spokesperson, stressed that these tools are only effective against devices running outdated versions of the company’s operating system. This underscores Apple’s consistent message: regular software updates are paramount for maintaining device security. “Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,” she stated.
Global Reach and Targeted Attacks
The research highlights a concerning global reach for these hacking campaigns, with specific groups identified as targets:
- Ukrainians: Targeted by Russian intelligence agencies.
- Chinese Cryptocurrency Users: Targeted by Chinese cybercriminals.
- Individuals in Saudi Arabia, Turkey, and Malaysia: Also affected by the proliferation of these tools.
While the reported evidence does not indicate Americans being targeted, cybersecurity experts warn that the tools could easily be adapted to compromise any outdated iOS device. John Scott-Railton, a senior researcher at the University of Toronto-sponsored cybersecurity lab, Citizen Lab, commented that the “barrier to entry for widespread, devastating mobile attacks has been decisively lowered,” predicting that “this problem is only going to grow.” He added a stark warning for everyday users: “The scary takeaway for regular users is they can’t spot this attack.”
Apple’s Response and Vulnerability Concerns
Apple’s latest operating system, iOS 16, released in September, is designed to protect users against both DarkSword and Coruna. In an unusual move last week, Apple issued a special update for older iPhones that cannot fully upgrade to iOS 16, specifically to patch the vulnerabilities exploited by these tools.
The research indicates that both campaigns primarily utilise a “watering hole attack” method. This involves either designing or hacking a website to embed malicious code. When a vulnerable phone visits such a site, the code exploits how the device processes web traffic, leading to an automatic infection.
Despite the sophistication of these attacks, hacking an iPhone still requires significant technical expertise. Both campaigns rely on a complex chain of exploits working in concert to gain complete control of a device.
The Origins of the Threat
The origins of the Coruna tool have a documented link to a former cyber executive at the military defence contractor L3Harris, Peter Williams. Williams pleaded guilty last year to selling his company’s hacking tools, including Coruna, to a Russian broker. Google’s analysis suggests that this tool was deployed last summer by hackers associated with Russian intelligence groups, targeting individuals in Ukraine.
By December, the tool had apparently fallen into the hands of Chinese cybercriminals, who began creating a vast network of fake Chinese websites, primarily focused on finance, with the aim of stealing cryptocurrency. Bitcoin and other digital currencies are particularly attractive targets due to the ease with which they can be transferred to a criminal’s possession, often with no recourse for the victim.
The exact origin of the DarkSword tool remains unknown. However, it has also been linked to the same Russian intelligence unit that deployed Coruna. Its use has since spread and diversified into several related versions, impacting users in Ukraine, Malaysia, Saudi Arabia, and Turkey. Google has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilising DarkSword in distinct campaigns since November.
Rocky Cole, iVerify’s chief operating officer, believes these findings should challenge the widespread perception that owning an iPhone inherently provides immunity from hackers. “There’s been this perception in the security community that attacks against iPhones are like mythical beasts, they’re rare,” he stated. “Nah, we just don’t really have the tools to see these. I have a feeling that it’s more pervasive than people think.”
This situation highlights that while Apple devices offer robust security, vigilance and timely updates are crucial defence mechanisms against an evolving landscape of cyber threats.
