A team of advanced hackers exploited no fewer than eleven vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.
With novel exploitation and obfuscation techniques, the mastery of a large number of types of vulnerabilities and a complex deployment infrastructure, the group used four Zerodays in February 2020. The hackers' ability to chain together multiple exploits that put fully patched Windows and Android devices at risk led members of Google's Project Zero and Threat Analysis Group to label the group "sophisticated".
It's not over yet
On Thursday, Maddie Stone, a researcher at Project Zero, said the same group exploited seven other previously unknown vulnerabilities, this time also in iOS, in the eight months following the February attacks. As in February, the hackers delivered the exploits through waterhole attacks that compromise websites frequented by targets of interest and add code that installs malware on visitors' devices.
In all attacks, the watering sites redirected visitors to an extensive infrastructure that installed different exploits depending on the devices and browsers used. While the two servers used in February only used Windows and Android devices, the later attacks also used devices with iOS. Below is a diagram of how it worked:
The ability to penetrate advanced defenses built into well-developed operating systems and apps that were fully patched – for example, Chrome on Windows 10 and Safari on iOSA – was evidence of the group's capabilities. Another testament was the abundance of zero days in the group. After Google fixed a code execution vulnerability that the attackers exploited in the Chrome renderer in February, the hackers quickly added a new code execution exploit for the Chrome V8 engine.
In a blog post published Thursday, Stone wrote:
The vulnerabilities cover a wide range of issues, from a modern JIT vulnerability to a large cache of font errors. Overall, each of the exploits itself showed an expert understanding of the development of the exploit and the vulnerability being exploited. In the case of the 0-day Chrome free type, the exploitation method for Project Zero was new. The process of figuring out how to trigger the iOS kernel permissions vulnerability would not have been trivial. The obfuscation methods were varied and time consuming to find out.
Overall, Google researchers gathered:
- 1 full chain targeting for fully patched Windows 10 with Google Chrome
- 2 substrings for 2 different fully patched Android devices running Android 10 with Google Chrome and Samsung browsers, and
- RCE exploits for iOS 11-13 and exploit for escalation of permissions for iOS 13
The seven zero days were:
- CVE-2020-15999 – Chrome freetype heap buffer overflow
- CVE-2020-17087 – Windows heap buffer overflow in cng.sys
- CVE-2020-16009 – Chrome type confused with disdain for TurboFan card
- CVE-2020-16010 – Chrome for Android heap buffer overflow
- CVE-2020-27930 – Read / write any Safari stack via Type 1 fonts
- CVE-2020-27950 – iOS XNU Kernel Storage Disclosure in Mach Message Trailers
- CVE-2020-27932 – iOS kernel type confused with turnstiles
The complex chain of exploits is required to break through layers of defense mechanisms built into modern operating systems and apps. Typically, a series of exploits are required to take advantage of code on a target device, break that code out of a browser's security sandbox, and elevate permissions so the code can access sensitive parts of the operating system.
Thursday's post did not provide details on the group responsible for the attacks. It would be particularly interesting to know if the hackers are part of a group the researchers already know, or if it is a team that they hadn't seen before. Information about the targeted individuals would also be useful.
The importance of keeping apps and operating systems up to date and avoiding suspicious websites remains. Unfortunately, none of these things would have helped the victims hacked by this unknown group.