Posted on March 19, 2021 at 10:48 PM
A recent report has revealed that an unnamed hacking syndicate carried out a sustained hacking operation and targeted Windows, iOS, and Android users using 11 zero-day vulnerabilities.
Google’s Project Zero team, which discovered the attack, stated that the campaign began last year. The attack occurred across two different time windows, with the first window occurring in February while the second occurred in October.
The Google team stated that the hacking group lured their victims to malicious sites which redirect them to exploit servers.
There were different bugs in the exploit chain that enabled the threat actors to circumvent the browser’s sandbox security container and gain initial temporary access to the users’ device. Once the initial access is gained, the attacker then gains a permanent presence by elevating privileges on the underlying operating system.
Zero-days combined with other vulnerabilities
The report revealed that the attackers did not depend entirely on zero-days to attack victims, as they also combined other more known vulnerabilities that were already patched.
Additionally, the threat actors were very technical to show the ability to change the zero-day techniques at a short notice once it was detected and patched by security personnel. The hackers’ flexibilities showed the hackers have a deep well of available vulnerabilities and high skill levels too.
ArsTechnica reported that the first four zero-days impacted Windows and Android systems running Chrome.
But the threat actors intensified and broadened their attack for the next eight months and added seven more vulnerabilities, which targeted Safari and iOS machines. The report also revealed that the attackers used watering-hole sites to distribute different exploits targeted at the web browsers and visiting devices.
Hackers were well equipped
Project Zero researcher Maddie Stone commented on the hackers’ exceptional skills to quickly exploit new vulnerabilities even after the initial one is patched. “The hackers have an expert understanding of exploit development and the vulnerability being exploited,” he added.
In both sets of attacks, the threat actors redirected their victims to an extensive infrastructure that installed different exploits according to the browsers and devices the users were using.
After Google updated and patched a code-execution vulnerability exploited by the hackers in February, the hackers immediately planted a new code-execution exploit for the Chrome V8 engine.
Stone stated that the vulnerability covers areas in a wide range of issues, including in a large cache of font bugs and from modern JIT vulnerability. Also, the exploits showed expertise in vulnerability discovery and exploit development, which goes to show that the hackers are sophisticated in their techniques.
In October, Project Zero detected some of the vulnerabilities, including iOS kernel type, iOS XNU kernel memory disclosure, Safari arbitrary stack read/write, Chrome for Android heap buffer overflow, Chrome type TurboFan map depreciation, as well as Windows buffer cng.sys overflow.
ArsTechnica also noted that the hackers used a chain of exploits because it was needed to pass through layers of defenses built into more recent operating systems.
Google researchers said they discovered a privilege escalation exploit for iOS 13 and RCE exploits for iOS 11-13.
They also discovered two partial chains that target two different fully updated Android devices that run Android 10 using Samsung Browser and Google Chrome. The attackers were also targeting 1 chain fully updated Windows 10 using Google Chrome.
Identity of the hacking group not known yet
The Google team did not provide any information or reveal the identity of the hacking group responsible for the attack.
So, it’s not clear whether the group is new and not previously linked to any attacks or whether it’s already an established group within the cyberattack space. It’s also not clear the type of users the attackers targeted.
However, the sophistication of their method shows they may have been exploring cyberspace even before their February and October activities.
It’s always important to keep apps and OSes regularly updated to prevent opening the doors for threat actors.
Apple has been consistent with security updates and patches for vulnerabilities in its iOS devices. It released the latest patch for iOS 14.4.1 on March 8.
Unfortunately, these prevention methods may not have been enough to protect the victims affected by the recent hack.