A team of advanced hackers exploited no less than 11 vulnerabilities today in a nine-month campaign that used compromised websites to infect devices fully patched with Windows, iOS and Android, said a Google researcher.
Using new exploitation and obfuscation techniques, mastery of a wide range of vulnerability types and a complex delivery infrastructure, the group explored four zero days in February 2020. The ability of hackers to chain multiple exploits that have compromised Windows and Android devices entirely corrected led members of the Google Threat Analysis and Project Zero Group consider the group “highly sophisticated”.
Not over yet
On Thursday, Project Zero investigator Maddie Stone said that in the eight months following the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided on iOS. As was the case in February, hackers delivered exploits through watering hole attacks, which compromise sites frequented by targets of interest and add code that installs malware on visitors’ devices.
In all attacks, the watering-hole sites redirected visitors to an extensive infrastructure that installed different exploits depending on the devices and browsers that the visitors were using. While the two servers used in February exploited only Windows and Android devices, the subsequent attacks also exploited iOS devices. Below is a diagram of how it worked:
The ability to pierce advanced defenses built into well-fortified operating systems and applications that have been fully fixed – for example, Chrome running on Windows 10 and Safari running on iOSA – was proof of the group’s skill. Another testament was the abundance of zerodays in the group. After Google fixed a code execution vulnerability that attackers were exploiting in the Chrome renderer in February, hackers quickly added a new code execution exploit for the Chrome V8 engine.
In a blog post published on Thursday, Stone wrote:
The vulnerabilities cover a very wide spectrum of problems – from a modern JIT vulnerability to a large cache of font bugs. Overall, each of the exploits themselves showed a specialized understanding of the exploit’s development and the vulnerability being exploited. In the case of Chrome Freetype 0-day, the exploitation method was new for Project Zero. The process of figuring out how to trigger the iOS kernel privilege vulnerability would not be trivial. Obfuscation methods were varied and time-consuming to discover.
In all, Google researchers put together:
- 1 complete network segmentation with Windows 10 fully fixed using Google Chrome
- 2 partial strings targeting 2 different Android devices with full patches that run Android 10 using the Google Chrome and Samsung browser, and
- RCE exploits for iOS 11-13 and privilege escalation exploitation for iOS 13
The seven zero days were:
- CVE-2020-15999 – Chrome Freetype heap buffer overflow
- CVE-2020-17087 – Windows heap buffer overflow in cng.sys
- CVE-2020-16009 – Chrome type confusion in the TurboFan map suspension
- CVE-2020-16010 – Chrome heap buffer overflow for Android
- CVE-2020-27930 – read / write arbitrary Safari stack via Type 1 fonts
- CVE-2020-27950 – Disclosure of iOS XNU kernel memory in mach message trailers
- CVE-2020-27932 – iOS kernel type confusion with turnstiles
Piercing defenses
The complex chain of exploits is necessary to break through the layers of defenses that are integrated with modern operating systems and applications. Typically, a series of exploits are required to explore the code on a target device, get the code out of a browser security sandbox, and elevate privileges so that the code can access sensitive parts of the operating system.
Thursday’s post did not provide details about the group responsible for the attacks. It would be especially interesting to know if the hackers are part of a group already known to researchers or if they are a team never seen before. It would also be useful to obtain information about the people targeted.
The importance of keeping applications and operating systems up to date and avoiding suspicious websites still remains. Unfortunately, none of these things would have helped victims hacked by this unknown group.