Agi: Allarme iPhone: scoperto “Coruna”, il kit che svuota i wallet. Come proteggersi

AGI - I vecchi iPhone sono nel mirino di un nuovo, letale exploit kit chiamato "Coruna". A portarlo alla luce, sono stati gli esperti del Google Threat Intelligence Group (GTIG). Si tratta di una "cassetta degli attrezzi" digitale composta da ben 23 exploit differenti, capace di penetrare le difese degli smartphone Apple e sottrarre non solo dati sensibili, ma anche asset digitali dai wallet di criptovalute.
Secondo le ricostruzioni fornite da Google e confermate dagli analisti di iVerify, la genesi di Coruna è inquietante. Il kit sarebbe stato sviluppato da un'azienda specializzata in software di sorveglianza per essere venduto al governo degli Stati Uniti. Tuttavia, per dinamiche ancora da chiarire, il software è "sfuggito" al controllo originario, finendo sul mercato di seconda mano del dark web. Le conseguenze non sono tardate ad arrivare. Tra il febbraio e la fine del 2025, Coruna è diventato lo strumento preferito di gruppi di cybercriminali russi e cinesi, utilizzati per campagne di spionaggio e furto finanziario su scala globale.
Come funziona Coruna
Il kit non è un unico virus, ma una raccolta modulare che sfrutta falle di sicurezza (vulnerabilità) presenti nelle versioni di iOS comprese tra la 13 e la 17.2.1. Questo significa che il bersaglio principale sono gli utenti che possiedono iPhone datati, modelli che non possono più essere aggiornati alle versioni più recenti del sistema operativo.
Analogie con EternalBlue
Il caso Coruna presenta analogie con quanto accaduto nel 2017 con EternalBlue. All'epoca, un exploit sviluppato dalla NSA per Windows fu rubato dal gruppo Shadow Brokers e reso pubblico. Quella fuga di dati portò alla nascita di WannaCry e NotPetya, i ransomware che misero in ginocchio ospedali, banche e aziende in tutto il mondo. Oggi, la storia sembra ripetersi: uno strumento nato per la sicurezza nazionale diventa un volano per il crimine informatico globale.
Le contromisure di Apple
La buona notizia è che Apple ha già rilasciato le contromisure necessarie. Tutte le vulnerabilità sfruttate da Coruna sono state risolte con il rilascio di iOS 26. La migliore soluzione, dunque, è aggiornare il sistema operativo alla versione più recente possibile. Attualmente, resterebbero fuori dall’aggiornamento gli iPhone precedenti ai 13/14.

iPhone Alert: “Coruna” discovered, the kit that drains wallets. How to protect yourself.

AGI - Old iPhones are the target of a new, lethal exploit kit called "Coruna." Google Threat Intelligence Group (GTIG) experts brought it to light. It’s a digital “tool kit” consisting of 23 different exploits, capable of penetrating Apple smartphones’ defenses and stealing not only sensitive data but also digital assets from cryptocurrency wallets.

According to Google’s reconstruction and confirmed by iVerify analysts, the genesis of Coruna is unsettling. The kit was reportedly developed by a company specializing in surveillance software to be sold to the United States government. However, due to still-unclear dynamics, the software “escaped” from its original control, ending up on the secondary market of the dark web. The consequences didn’t delay. Between February and the end of 2025, Coruna became the preferred tool of Russian and Chinese cybercriminal groups, used for global espionage and financial theft campaigns.

How Coruna Works

The kit is not a single virus, but a modular collection that exploits security vulnerabilities (vulnerabilities) present in iOS versions between 13 and 17.2.1. This means the main target are users who own outdated iPhones, models that can no longer be updated to the latest versions of the operating system.

Analogies with EternalBlue

The Coruna case presents analogies with what happened in 2017 with EternalBlue. At the time, an exploit developed by the NSA for Windows was stolen by the Shadow Brokers and made public. That data leak led to the birth of WannaCry and NotPetya, the ransomware that brought hospitals, banks and companies around the world to their knees. Today, the story seems to repeat itself: a tool born for national security becomes a catalyst for global cybercrime.

Apple’s Countermeasures

The good news is that Apple has already released the necessary countermeasures. All the vulnerabilities exploited by Coruna have been resolved with the release of iOS 26. The best solution, therefore, is to update the operating system to the latest possible version. Currently, iPhones prior to the 13/14 would remain outside the update.

#Apple #Google #Coruna #UnitedStates #Russian #Chinese #EternalBlue #WannaCry #NotPetya

https://www.agi.it/estero/news/2026-03-05/iphone-coruna-35953925/

What Is a Supply Chain Attack? Lessons from Recent Incidents

924 words, 5 minutes read time.

I’ve been in computer programming with a vested interest in Cybersecurity long enough to know that your most dangerous threats rarely come through the obvious channels. It’s not always a hacker pounding at your firewall or a phishing email landing in an inbox. Sometimes, the breach comes quietly through the vendors, service providers, and software updates you rely on every day. That’s the harsh reality of supply chain attacks. These incidents exploit trust, infiltrating organizations by targeting upstream partners or seemingly benign components. They’re not theoretical—they’re real, costly, and increasingly sophisticated. In this article, I’m going to break down what supply chain attacks are, examine lessons from high-profile incidents, and share actionable insights for SOC analysts, CISOs, and anyone responsible for protecting enterprise assets.

Understanding Supply Chain Attacks: How Trusted Vendors Can Be Threat Vectors

A supply chain attack occurs when a threat actor compromises an organization through a third party, whether that’s a software vendor, cloud provider, managed service provider, or even a hardware supplier. The key distinction from conventional attacks is that the adversary leverages trust relationships. Your defenses often treat trusted partners as safe zones, which makes these attacks particularly insidious. The infamous SolarWinds breach in 2020 is a perfect example. Hackers injected malicious code into an update of the Orion platform, and thousands of organizations unknowingly installed the compromised software. From the perspective of a SOC analyst, it’s a nightmare scenario: alerts may look normal, endpoints behave according to expectation, and yet an attacker has already bypassed perimeter defenses. Supply chain compromises come in many forms: software updates carrying hidden malware, tampered firmware or hardware, and cloud or SaaS services used as stepping stones for broader attacks. The lesson here is brutal but simple: every external dependency is a potential attack vector, and assuming trust without verification is a vulnerability in itself.

Lessons from Real-World Supply Chain Attacks

History has provided some of the most instructive lessons in this area, and the pain was often widespread. The NotPetya attack in 2017 masqueraded as a routine software update for a Ukrainian accounting package but quickly spread globally, leaving a trail of destruction across multiple sectors. It was not a random incident—it was a strategic strike exploiting the implicit trust organizations placed in a single provider. Then came Kaseya in 2021, where attackers leveraged a managed service provider to distribute ransomware to hundreds of businesses in a single stroke. The compromise of one MSP cascaded through client systems, illustrating that upstream vulnerabilities can multiply downstream consequences exponentially. Even smaller incidents, such as a compromised open-source library or a misconfigured cloud service, can serve as a launchpad for attackers. What these incidents have in common is efficiency, stealth, and scale. Attackers increasingly prefer the supply chain route because it requires fewer direct compromises while yielding enormous operational impact. For anyone working in a SOC, these cases underscore the need to monitor not just your environment but the upstream components that support it, as blind trust can be fatal.

Mitigating Supply Chain Risk: Visibility, Zero Trust, and Preparedness

Mitigating supply chain risk requires a proactive, multifaceted approach. The first step is visibility—knowing exactly what software, services, and hardware your organization depends on. You cannot defend what you cannot see. Mapping these dependencies allows you to understand which systems are critical and which could serve as entry points for attackers. Second, you need to enforce Zero Trust principles. Even trusted vendors should have segmented access and stringent authentication. Multi-factor authentication, network segmentation, and least-privilege policies reduce the potential blast radius if a compromise occurs. Threat hunting also becomes crucial, as anomalies from trusted sources are often the first signs of a breach. Beyond technical controls, preparation is equally important. Tabletop exercises, updated incident response plans, and comprehensive logging equip teams to react swiftly when compromise is detected. For CISOs, it also means communicating supply chain risk clearly to executives and boards. Stakeholders must understand that absolute prevention is impossible, and resilience—rapid detection, containment, and recovery—is the only realistic safeguard.

The Strategic Imperative: Assume Breach and Build Resilience

The reality of supply chain attacks is unavoidable: organizations are connected in complex webs, and attackers exploit these dependencies with increasing sophistication. The lessons are clear: maintain visibility over your entire ecosystem, enforce Zero Trust rigorously, hunt for subtle anomalies, and prepare incident response plans that include upstream components. These attacks are not hypothetical scenarios—they are the evolving face of cybersecurity threats, capable of causing widespread disruption. Supply chain security is not a checkbox or a one-time audit; it is a mindset that prioritizes vigilance, resilience, and strategic thinking. By assuming breach, questioning trust, and actively monitoring both internal and upstream environments, security teams can turn potential vulnerabilities into manageable risks. The stakes are high, but so are the rewards for those who approach supply chain security with discipline, foresight, and a relentless commitment to defense.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• CISA: Supply Chain Security Resources
• NIST SP 800-161: Supply Chain Risk Management Practices
• KrebsOnSecurity: Cybersecurity News & Analysis
• CrowdStrike: Threat Intelligence Reports
• Mandiant Threat Reports
• Schneier on Security
• Verizon Data Breach Investigations Report (DBIR)
• Black Hat Conference Talks
• DEF CON Conference Resources
• Academic Papers on Cybersecurity

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

#anomalyDetection #attackVector #breachDetection #breachResponse #CISO #cloudSecurity #cyberattackLessons #cybersecurity #cybersecurityGovernance #cybersecurityIncident #cybersecurityMindset #cybersecurityPreparedness #cybersecurityResilience #cybersecurityStrategy #EndpointSecurity #enterpriseRiskManagement #enterpriseSecurity #hardwareCompromise #hardwareSecurity #incidentResponse #incidentResponsePlan #ITRiskManagement #ITSecurityPosture #ITSecurityStrategy #Kaseya #maliciousUpdate #MFASecurity #MSPSecurity #networkSegmentation #NotPetya #organizationalSecurity #perimeterBypass #ransomware #riskAssessment #SaaSRisk #securityAudit #securityControls #SOCAnalyst #SOCBestPractices #SOCOperations #softwareSecurity #softwareSupplyChain #softwareUpdateThreat #SolarWinds #supplyChainAttack #supplyChainMitigation #supplyChainRisk #supplyChainSecurityFramework #supplyChainVulnerabilities #thirdPartyCompromise #threatHunting #threatLandscape #trustedVendorAttack #upstreamCompromise #upstreamMonitoring #vendorDependency #vendorRiskManagement #vendorSecurity #vendorTrust #zeroTrust

10 milliards $ de dégâts. 50 000 serveurs hors service.

NotPetya : l'attaque dont la plupart des victimes étaient des dommages collatéraux.

Dans notre nouvel épisode avec Cyndie Feltz, Nicholas Milot et Dominique Derrier, on explore pourquoi les PME doivent s'en préoccuper.

🎧 Web: https://polysecure.ca/posts/episode-0x653.html#48b0e1fd
🎧 Spotify: https://open.spotify.com/episode/0LkbcAf9enzw6I2Uimq4SW?si=YCOFusM1TxK6iSCUiuTdmA
🎧 YouTube: https://youtu.be/RRwwEG-HpYU

#Cybersécurité #PME #NotPetya #Podcast

A variant of the infamous Petya/NotPetya ransomeware virus has been discovered that is capable of bypassing UEFI Secure Boot on outdated systems.

https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/

#solidstatelife #cybersecurity #petya #notpetya #uefi

HybridPetya – Ransomware omijający zabezpieczenie UEFI Secure Boot

Badacze bezpieczeństwa z firmy ESET odkryli nowy wariant ransomware przypominający doskonale wszystkim znany Petya/NotPetya, rozszerzony o możliwość przejmowania systemów operacyjnych uruchamianych ze wsparciem UEFI. Malware wykorzystuje podatność CVE-2024-7344do ominięcia mechanizmu UEFI Secure Boot. W najnowszych systemach podatność ta została załatana, jednak schemat działania oprogramowania, tzn. wykorzystanie eksploitów na poziomie firmware...

#WBiegu #Notpetya #Petya #Ransomware #Secureboot #Wiper

https://sekurak.pl/hybridpetya-ransomware-omijajacy-zabezpieczenie-uefi-secure-boot/

Wänn hesch Du s letsch mal dis BIOS updatet?
Frage für ‘ne Kolleg 🙃

#HybridPetya #NotPetya #Ransomware #UEFI #SecureBoot

https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html

Qu'est-ce qu'une cyberattaque ?

Le procès de l'affaire des fuites de l'entreprise suisse Adecco met en exergue les fuites de données. Elles sont souvent l'objet ou la conséquence d'une cyberattaque. Les hackers visent à trouver des failles dans les systèmes d'information. Qu'ils soient blancs ou noirs, ils trouvent. Les meilleurs seraient Russes, Chinois, Israéliens, Coréens du Nord ? Ces nationalités représentent celles des personnes les plus recherchées dans le monde à cause de cyberattaques.

Mais qu'est-ce qu'une attaque cybernétique, une cyberattaque ?

https://librexpression.fr/cyberattaque-cest-a-dire-1-2
https://librexpression.fr/cyberattaque-cest-a-dire-2-2

#Adecco #APT #CYBER #CyberAttack #databreaches #ddos #Defacement #flame #France #informatique #IranIsrael #Librexpression #Mirai #NotPetya #olympicsgames #OSINTdefender #ransomware #Russie #Solarwinds #threaths #USA #WannaCry #warfare

(Crédits : Tima Miroshnichenko/Pexels)

🌐 ¿Sabías que un ciberataque desconectó a todo un país? 😱
💻 Mira este video corto y educativo con los ataques digitales más destructivos.
#TicTac4 #GeekEducativo #AlianzaVanguardista #AtaquesCibernéticos #Hackers #WannaCry #Estonia2007 #CiberseguridadGlobal #VideosEducativos #CulturaDigital #TecnologíaParaTodos #NotPetya #Stuxnet #Ciberataques #RiesgosDigitales #ProtecciónDeDatos #TecnologíaEnLaEscuela #VideosParaAprender #CiberAmenazas #HistoriaTecnológica #Malware…

https://geekeducativo.com/2025/03/31/%e2%9a%a0%ef%b8%8f-los-ataques-ciberneticos-que-paralizaron-paises-enteros-%f0%9f%8c%90%f0%9f%92%bb/

Good day everyone, new Blizzard has dropped!

Microsoft's Threat Intelligence shares their research on a Russian state actor dubbed #SeashellBlizzard! Part of the GRU, they specialize in operations from espionage to information operation and cyber-enabled disruptions which have resulted in destructive attacks and manipulation of ICS. They have leveraged different types of malware to include #KillDisk, #FoxBlade, and #NotPetya.

Behavior Summary (With MITRE ATT&CK):
Initial Access - TA0001:
Exploit Public-Facing Application - T1190
Seashell Blizzard commonly exploited vulnerable public facing infrastructure.

Persistence - TA0003:
Create or Modify System Process: Windows Service - T1543.003 -
Among other means of persistence, Seashell Blizzard created a system service.

Execution - TA0002:
Command and Scripting Interpreter: PowerShell - T1059.001
Command and Scripting Interpreter: Windows Command Shell - T1059.003
Seashell Blizzard abused both of these living off the land binaries for multiple reasons and using multiple different parameters.

As always, there is WAAAAY too many technical details here, so go check it out yourself! Enjoy the read and Happy Hunting!

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

La genèse du ransowmare

La genèse du ransomware remonte avec l’histoire d’un docteur, Joseph Popp. Le parallèle avec le docteur Jekyll et de M. Hyde, semble être proche d’une réalité palpable. Il est à l’origine des rançongiciels dans sa démarche avec l'envoi de 26 000 disquettes « AIDs Trojan ».

Puis l’évolution des chiffrements avec des clefs de plus en plus grandes. Le passage du chiffrement symétrique à l’asymétrique est aussi une évolution.
La différence est que le Dr Popp recevait par virement les sommes sur un compte au Panama. Dorénavant, les cybercriminels perçoivent des bitcoins.

L’évolution d’une société de plus en plus connectée (IoT), de plus en plus « informatisé » fait face à des défis constants en matière de cybersécurité et d'hygiène informatique.

Le rapport de la Cour des comptes sur la sécurité des établissements de santé est sans appel : « les autorités publiques ont réagi avec retard en finançant sur cinq ans un programme de prévention et de protection. Cette dynamique doit être poursuivie. »

https://librexpression.fr/genealogie-du-ransomware

https://www.ccomptes.fr/sites/default/files/2024-12/20250103-S2024-1456-La-securite-informatique-des-etablissements-de-sante.pdf

#Bianlian #Cyberattack #Databreach #France #informatique #Librexpression #Lockbit #MBR #NotPetya #Panama #Phishing #Popp #ransomware #threaths #WannaCry

(Crédits : mason cook/Pexels)