An exploit kit that may have originated from a leaked U.S. government framework is behind what researchers are calling the first mass-scale attack on iOS, the operating system for Apple’s iPhones.

Traces of the exploits, found in the work of Chinese cybercriminals, also have been spotted in Russian attacks on Ukraine and used by a customer of a spyware vendor.

Those conclusions come from two pieces of research that Google Threat Intelligence Group and iVerify released separately Tuesday. Rocky Cole, co-founder of iVerify, said it represented a potential “EternalBlue moment,” with echoes of that exploit software escaping the National Security Agency to fuel the global WannaCry ransomware and NotPetya attacks in 2017.

Google said that the so-called Coruna exploit kit that’s the subject of Tuesday’s research “provides another example of how sophisticated capabilities proliferate,” as it wrote in a blog post about the zero-day — or previously undisclosed and unpatched — exploits.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

Said iVerify: “While iVerify has some evidence that this tool is a leaked U.S. government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Just last week, a U.S. court sentenced a former L3 Harris executive to prison for selling zero-day exploits to a Russian broker.

Both Google and iVerify connected the exploit kit to Operation Triangulation, which Russian cybersecurity firm Kaspersky said in 2023 had targeted the company and the Russian government attributed to the U.S. government. The NSA declined to comment on that allegation.

An Apple spokesperson didn’t respond to a request for comment Tuesday afternoon. Apple issued multiple patches in response to Operation Triangulation, and worked with Google on the newest research.

Spencer Parker, chief product officer at iVerify, said the attack affected at least 42,000 devices —a “massive number” for iOS, even if it sounds small to other platforms. That number has the potential to expand as researchers dive further into the technical details, Cole said.

Other signs point to U.S. development of the exploit kit, Cole said.

“The code base for the framework and the exploits was superb,” he said. “It was elegantly written. It’s fluid and holds together very well. There were comments in the code that, as someone who’s been around the U.S. defense industrial base for years, really are reminiscent of the sort of insider jokes and insider remarks that you might see from a U.S. based coder. Certainly they were native English language speakers.”

Google said it tracked the use of the exploit kit over the course of last year in operations from an unnamed customer of a surveillance vendor to attacks on Ukrainian users from a suspected Russian espionage group, before retrieving the complete exploit kit from a financially motivated group operating out of China.

Apple-focused security researcher Patrick Wardle observed on the social media site X about the Coruna research: “Turns out even lowly cybercriminals were (ab)using 0days to hack Apple devices.”

The post Possible U.S.-developed exploits linked to first known ‘mass’ iOS attack appeared first on CyberScoop.

An ex-L3 Harris executive was sentenced to over seven years in prison Tuesday after pleading guilty to selling eight zero-day exploits to a Russian broker in exchange for millions of dollars.

Peter Williams, 39, admitted to two counts of theft of trade secrets in U.S. District Court in Washington, D.C., last year, acknowledging he took at least eight exploits or exploit components while working at Trenchant, a specialized cybersecurity unit owned by L3Harris. Prosecutors said the materials were intended for restricted use by the U.S. government and allied partners.

Authorities said Williams sold the stolen information to a broker that advertised itself as a reseller of hacking tools and described it as serving multiple customers, including the Russian government. In court, the government referred to the buyer as “Company 3,” but details read aloud during the plea hearing pointed to Operation Zero, a Russian exploit broker that publicly markets itself online as a platform for purchasing zero-day vulnerabilities.

Additionally, Operation Zero was one of two zero-day brokerages sanctioned by the U.S. Treasury in a separate announcement made Tuesday.

Prosecutors said Williams used his access at Trenchant over roughly three years to obtain proprietary materials and entered into several deals with the broker, receiving payments in cryptocurrency. Officials said he used proceeds to buy luxury items. The Justice Department has estimated the theft caused $35 million in losses to the contractor, while prosecutors said Williams earned $1.3 million tied to the sales and should be ordered to pay that amount in restitution. 

Williams’ background added another layer noted in court. Prosecutors said he previously served in the Australian Signals Directorate, Australia’s foreign signals intelligence agency. Trenchant’s origins are also part of the record: it was formed after L3Harris acquired Azimuth Security and Linchpin Labs, Australian firms associated with exploit development.

Neither Trenchant nor L3Harris is accused of wrongdoing in the criminal case. 

A hearing for further restitution related to the $35 million in losses is scheduled for May.

The post Ex-L3Harris executive sentenced to 87 months in prison for selling zero-day exploits to Russian broker appeared first on CyberScoop.