Full Report
Cybersecurity researchers say the GitHub leak threatens to "democratize" iPhone exploits that were once reserved for nation-states, potentially putting hundreds of millions of iOS 18 devices at risk. The post DarkSword’s GitHub leak threatens to turn elite iPhone hacking into a tool for the masses appeared first on CyberScoop.
Analysis Summary
# Vulnerability: DarkSword iOS Exploit Kit Leak
## CVE Details
- **CVE ID**: Multiple (Includes vulnerabilities recently added to CISA’s Known Exploited Vulnerabilities Catalog). Specific IDs associated with the kit include components of the "Coruna" and "DarkSword" frameworks.
- **CVSS Score**: N/A (Kit leverages a chain of high/critical vulnerabilities)
- **CWE**: Primarily focusing on Memory Corruption and Privilege Escalation flaws.
## Affected Systems
- **Products**: Apple iPhone / iPad.
- **Versions**: iOS 18 and earlier. Hundreds of millions of devices are estimated to be at risk.
- **Configurations**: Standard configurations; however, devices not running "Lockdown Mode" remain at higher risk of initial exploitation.
## Vulnerability Description
DarkSword is a sophisticated "exploit kit" (a collection of multiple vulnerabilities chained together) designed to compromise iOS devices. While specific technical deep-dives into each individual zero-day are evolving, the kit is designed to bypass iOS security sandboxes to install persistent spyware. It is functionally similar to the "Coruna" kit and allows for high-level surveillance. Experts express concern that versions of this kit may be "wormable," allowing propagation via automated SMS/iMessage delivery to a victim's contact list.
## Exploitation
- **Status**: Exploited in the wild (Targeting identified in Ukraine, Saudi Arabia, Turkey, and Malaysia). A version of the exploit kit has also been leaked on **GitHub**, making the code publicly available.
- **Complexity**: High (Traditionally), but the leak reduces the barrier to entry (Low/Medium for attackers using the leaked kit).
- **Attack Vector**: Network (Remote execution via messaging platforms/links).
## Impact
- **Confidentiality**: Total (Full access to messages, photos, location, and microphone).
- **Integrity**: Total (Ability to modify system files and install unauthorized software).
- **Availability**: High (Potential for device instability or "bricking" via malicious updates).
## Remediation
### Patches
- **Apple iOS Updates**: Users must update to the latest version of iOS 18 immediately. Apple has stated that devices with fully updated software are not at risk from these specific reported attacks.
- **Backported Patches**: Apple has released security updates for older versions of iOS to address components related to the Coruna/DarkSword framework.
### Workarounds
- **Lockdown Mode**: Apple suggests enabling "Lockdown Mode" for users at high risk of targeted attacks to significantly reduce the device's attack surface.
- **Message Hygiene**: Avoid clicking unsolicited links or opening attachments from unknown secondary sources.
## Detection
- **Indicators of Compromise**: Unexplained battery drain, unexpected device reboots, or unusual data usage patterns.
- **Detection Methods and Tools**:
- Use of specialized mobile security tools such as **iVerify** or **Lookout**.
- Monitoring for unauthorized configuration profiles in iOS Settings.
- Verification of CISA’s Known Exploited Vulnerabilities (KEV) catalog for organizational compliance.
## References
- CISA Known Exploited Vulnerabilities Catalog: [hxxps://www.cisa[.]gov/known-exploited-vulnerabilities-catalog]
- CyberScoop Article: [hxxps://cyberscoop[.]com/darksword-iphone-spyware-leak-ios-18-exploit-threat/]
- Apple Security Advisories: [hxxps://support[.]apple[.]com/en-us/HT201222]