Image: Google Project Zero
Google published a six-part report today detailing a sophisticated hacking operation that the company detected in early 2020 and aimed at owners of Android and Windows devices.
The attacks were carried out through two exploration servers, delivering different exploitation chains through watering hole attacks, Google said.
Besides that: Best VPNs
“One server was targeting Windows users, the other Android,” said Project Zero, one of Google’s security teams, in the first of six blog posts.
Google said that both exploration servers used Google Chrome’s vulnerabilities to gain an early foothold on victims’ devices. After an initial entry point was established in the user’s browsers, attackers deployed an operating system-level exploit to gain more control of the victim’s devices.
The exploitation chains included a combination of zero-day and n-day vulnerabilities, where day zero refers to bugs that are unknown to software manufacturers and day n refers to bugs that have been fixed but are still being exploited in freedom.
In summary, Google said that the exploration servers contained:
- Four “renderer” bugs in Google Chrome, one of which was still a day zero at the time of its discovery.
- Two sandbox escape exploits that abuse three zero-day vulnerabilities in the Windows operating system.
- It is a “privilege escalation kit” made up of publicly known n-day exploits for older versions of the Android operating system.
The four zero days, all corrected in the spring of 2020, were as follows:
Google said that while it found no evidence of Android zero-day exploits hosted on the exploit servers, its security researchers believe that the threat agent probably had access to Android’s zero day as well, but was probably not hosting them on servers when its researchers discovered it.
Google: exploration chains were complex and well-designed
Overall, Google described the exploitation chains as “designed for efficiency and flexibility through their modularity”.
“They are complex, well-designed code with a variety of new scanning methods, mature extraction, sophisticated and calculated post-exploitation techniques and high volumes of anti-analysis and targeting checks,” said Google.
“We believe that teams of experts designed and developed these exploitation chains,” but Google did not provide any other details about the attackers or the type of victims they were targeting.
(I mean, TBH, you can probably guess who would do this. You can probably count the number of actors in the world who would take the time to use all these aspects of professionalism in one hand. With the remaining fingers on.)
– Brian in Pittsburgh (@arekfurt) January 12, 2021
Along with its introductory blog post, Google also published reports detailing a Chrome “infinite bug” used in the attacks, Chrome exploit chains, Android exploit chains, post-exploitation steps on Android devices and chains Windows exploit.
The details provided should allow other security vendors to identify attacks on their customers and track victims and other similar attacks by the same threat agent.
Title of the article updated shortly after publication, changing the term “massive” to “sophisticated”, as there is no information on the scale of this operation to support the initial wording.