Apple Warns iPhone Users of Active Web-Based Attacks Targeting Outdated iOS Devices

Apple is now sending Lock Screen notifications to users of older iPhones and iPads, warning them of active web-based exploits and urging immediate updates to protect against sophisticated attack kits like Coruna and DarkSword.

The notifications read: "Apple is aware of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone." This proactive security measure comes as Apple faces an escalating threat landscape where web-based exploits are actively targeting devices running outdated operating systems.

The Growing Threat of iOS Exploit Kits

The warnings follow Apple's recent discovery of new iOS exploit kits, specifically Coruna and DarkSword, which have been leveraged by multiple threat actors over the past year. These kits deliver malicious payloads when unsuspecting users visit compromised websites, turning routine web browsing into a potential security nightmare.

Coruna targets iOS versions between 13.0 and 17.2.1, while DarkSword is designed for iPhones running iOS versions between 18.4 and 18.7. What makes these kits particularly concerning is their sophistication and the fact that they represent an evolution of previous attack frameworks.

Operation Triangulation's Legacy

According to a new report from Kaspersky, the Coruna exploit kit is actually an evolution of the framework used in Operation Triangulation, a sophisticated campaign that targeted iPhones via zero-click iMessage exploits. First discovered in June 2023, Operation Triangulation demonstrated the advanced capabilities of state-sponsored attackers.

"Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework," the Russian cybersecurity vendor stated. This continuity suggests that the same level of technical sophistication behind nation-state attacks is now being packaged into more accessible exploit kits.

Democratization of Zero-Day Exploits

The emergence of these kits, coupled with the leak of a newer version of DarkSword, has raised serious concerns about the democratization of previously exclusive exploits. There's growing evidence of an active market for second-hand zero-day exploits, where sophisticated attack capabilities are being sold or traded among various threat actors.

This trend could transform iPhones and iPads into a significantly larger attack surface than they currently represent. What were once tools reserved for nation-states with substantial resources are now potentially available to cybercriminals, hacktivists, and other malicious actors with varying motivations.

Protection Measures for Users

For users unable to update to a supported iOS version, Apple recommends enabling Lockdown Mode, a security feature introduced in 2022 and available on devices running iOS 16 and later. Lockdown Mode provides enhanced protection against malicious web content by blocking certain complex web technologies that are often exploited in attacks.

Apple has stated that it is "not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device," suggesting that this feature provides a meaningful layer of defense for users who cannot immediately update their devices.

The company's decision to send Lock Screen notifications represents a significant shift in how it communicates security risks to users. By delivering warnings directly to the Lock Screen, Apple ensures that users cannot easily ignore or dismiss critical security alerts, potentially preventing successful exploitation attempts.

As web-based attacks continue to evolve in sophistication and accessibility, this proactive approach to user notification may become a standard practice for technology companies facing similar security challenges. The battle between device manufacturers and exploit developers continues to intensify, with user awareness and timely updates remaining crucial defenses against increasingly accessible attack capabilities.