Google researchers detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the exploits were zero-day, meaning that they targeted vulnerabilities that at the time were unknown to Google, Microsoft and most external researchers (both companies have already fixed security holes). Hackers delivered exploits through watering hole attacks, which compromise sites frequented by targets of interest and secure them with code that installs malware on visitors’ devices. The blocked sites used two exploitation servers, one for Windows users and one for Android users.
Not common hackers
The use of complex and zero-day infrastructure is not in itself a sign of sophistication, but it shows above average skill by a professional team of hackers. Combined with the robustness of the attack code – which efficiently linked several exploits – the campaign demonstrates that it was carried out by a “highly sophisticated actor”.
“These exploit chains are designed for efficiency and flexibility through their modularity,” wrote a researcher on Google’s Project Zero exploit research team. “They are complex and well-designed codes with a variety of new scanning methods, mature profiling, sophisticated and calculated post-scanning techniques and high volumes of anti-analysis and targeting checks. We believe that teams of experts designed and developed these exploration chains. “
The modularity of the payloads, the interchangeable exploitation chains and the logging, the targeting and the maturity of the operation also differentiate the campaign, said the researcher.
The four zero days explored were:
- CVE-2020-6418 – TurboFan Chrome Vulnerability (fixed in February 2020)
- CVE-2020-0938 – Windows font vulnerability (fixed in April 2020)
- CVE-2020-1020 – Windows font vulnerability (fixed April 2020)
- CVE-2020-1027 – Windows CSRSS Vulnerability (fixed in April 2020)
Attackers obtained remote code execution by exploiting Chrome’s zero day and several recently fixed Chrome vulnerabilities. Zero days were used against Windows users. None of the attack chains targeting Android devices exploited on day zero, but Project Zero researchers said attackers are likely to have Android day zero at their disposal.
The diagram below provides a visual overview of the campaign, which took place in the first quarter of last year:
In all, Project Zero published six chapters detailing the explorations and post-exploration payloads that the researchers found. Other parts describe an infinite Chrome bug, Chrome exploits, Android exploits, post-Android exploit payloads and Windows exploits.
The intent of the series is to help the security community at large in more effectively combating complex malware operations. “We hope that this series of blog posts will provide others with an in-depth look at the exploitation of a real-world actor, mature and presumably well-resourced,” wrote the researchers at Project Zero.