Posted on January 16, 2021 at 10:07 AM
Google researchers have provided details of a major hacking campaign it discovered early last year. According to the details, the threat actors that perpetuated the attack mounted a series of attacks on android and Windows devices using Zero-day vulnerability.
Google published the six-part report that provided full details of what it calls a sophisticated hacking operation that has affected several owners of both Windows and Android devices.
The attacks, according to the report, were carried out through two exploit servers that delivered different exploit chains using watering hole attacks.
Google said many of the exploits were Zero-days, which means that they targeted flaws that were not known to Microsoft, Google, or any outside researcher.
However, the information is coming after both Google and Microsoft patched the vulnerabilities. According to the report, the exploits infected the sites that were frequently targeted and planted codes on those sites, which installed malware on the visitor’s devices. In other words, when the user visits the infected site with his device, it’s almost immediately infected with the malware.
The booby-trapped sites utilized two exploit servers, one for Android users and another for Windows users.
“One server targeted Windows users, the other targeted Android,” Google’s security team pointed out.
Both exploit servers utilized Google Chrome flaws
The Google research team also reiterated that both of the exploit servers made use of Google Chrome vulnerabilities to initially gain access to the victims’ devices. After gaining an initial entry point in the users’ browsers, the threat actors deployed an OS-level exploit to solidify their control over the victims’ devices.
Exploit also involve n-day vulnerabilities
The Google researchers added that apart from the zero-day vulnerability, the exploitation chain also includes n-day vulnerability.
Here, the zero-day represents the vulnerability not known to the software manufacturers, while the n-day forms are already-patched vulnerabilities that are still been exploited in the open.
While the Android devices were targeted via n-day flaws, the majority of the Windows devices were targeted using Zero-day flaws. However, the researchers still acknowledged that zero-day vulnerabilities could also have been used on both devices.
The attack was highly sophisticated
In other attacks, the attackers chose not to carry out any exploitation or complete system exploitation. The researchers also said they couldn’t determine which parameters were used before deciding on either “slow” or “fast” exploitation paths.
But one thing is certain about the attacks, as the threat actors designed the exploit chains in a way to be utilized modularly for flexibility and efficiency. This is further proof that they were professionals and used highly sophisticated hacking techniques for their exploits.
The researchers concluded that the attack was a unique one due to the maturity of the operation, the targeting, logging, the interchangeable exploit chains, as well as the modularity of the payloads.
Four Windows Zero-day vulnerabilities discovered
The Google team spent several months analyzing the attacks by looking at the activities that took place post-exploitation on Android devices. More payloads were delivered that retrieved location data, device fingerprinting information, a list of installed apps, and a list of running processes for the phone.
The Google researchers revealed root-cause analyses for the four Windows Zero-day flaws they discovered.
The second flaw is known as CVE-2020-0938, which is an insignificant stack-corruption flaw in the Windows Font Driver. It is executed by loading a Type 1 font, including a uniquely designed BlendDesignPositions object
From what the researchers understood about the targets, the hackers were operating a “complex targeting infrastructure”, although they don’t utilize this approach every time.
In other cases, the threat actors utilized what is known as an initial render exploit to develop the users’ detailed fingerprints from the sandbox. The Google team said the threat actor utilized a slower method, which sends back several parameters from the user’s device. This is usually done by the threat actors before they go ahead with further exploitation using the sandbox escapee.