A group of advanced hackers exploited at least 11 zero-day vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.
Using novel exploitation and obfuscation techniques, management of various types of vulnerabilities, and a complex delivery infrastructure, the group spent four zero days in February 2020. The ability of hackers to chain together multiple exploits that were fully compromised patched Windows and Android. The devices brought together members of Google’s Project Zero and the Threat Team to call the group “highly sophisticated.”
It’s not over yet
On Thursday, Project Zero researcher Maddie Stone said that, in the eight months following the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided in iOS. As was the case in February, hackers put operations through tunnel attacks, which often damage websites through targets and add code that installs malware on visitors’ machines.
In all of the attacks, phishing sites direct visitors to an extensive infrastructure that installs different functions depending on the devices and browsers being used. While the two servers used in February used only Windows and Android devices, later attacks also used devices running iOS. Below is a diagram of how it works:
The ability to bypass advanced security built into well-fortified OSes and fully encrypted apps—for example, Chrome running on Windows 10 and Safari running on iOS—is a testament to the team’s wisdom. the. Another testament to the group’s many youth days. After Google hid a code execution vulnerability the adversaries have been exploiting it Chrome Maker In February, hackers quickly added a new code-killing exploit for Chrome V8.
In a blog post published on Wednesday, Stone wrote:
The vulnerabilities cover a wide spectrum of issues—from a modern JIT vulnerability to a large cache of font bugs. Overall each of the operations themselves demonstrate an expert understanding of the development of exploitation and exploitation. In the case of Chrome Freetype 0-day, the exploit method is novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability will be non-trivial. Obfuscation methods are varied and time-consuming to figure out.
All in all, Google researchers gathered:
- Targeting a fully patched Windows 10 using Google Chrome
- Two side chains targeting completely different Android apps running Android 10 using Google Chrome and Samsung Browser, and
- RCE exploit for iOS 11-13 and privilege exploit for iOS 13
The seven zero days are:
- CVE-2020-15999 – Chrome Freetype heap buffer overflow
- CVE-2020-17087 – Windows heap buffer overflow in cng.sys
- CVE-2020-16009 – Chrome type confusion in TurboFan map reduction
- CVE-2020-16010 – Chrome for Android buffer overflow
- CVE-2020-27930 – Safari arbitrary read/write by Type 1 fonts
- CVE-2020-27950 – iOS XNU kernel memory exposure in mach message handlers
- CVE-2020-27932 – iOS kernel type confusion with turnstiles
Beating defenses
The complex chain of exploits needs to be broken through the layers of protections built into today’s OSes and apps. Typically, a series of exploits is required to exploit code on a targeted device, get that code out of a browser’s security sandbox, and elevate privileges so the code can access sensitive parts of the OS.
Wednesday’s post did not give details on the group responsible for the attacks. It will also be interesting to know if the hackers are part of a group that is already known to researchers or if it is a group that has not been seen before. Also useful will be information about targeted people.
The importance of keeping apps and OSes up to date and avoiding suspicious websites remains. Unfortunately, neither of those things will help the victims of being hacked by this unknown group.