Google researchers have detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the exploits were zero days, which means they targeted vulnerabilities that were not known at the time by Google, Microsoft and most external researchers. (Both companies have since fixed security flaws.) Hackers have delivered exploits through hole attacks, which compromise sites frequented by targets of interest and lace up sites with code that installs malware on visitors’ devices. The captivated sites used two operating servers, one for Windows users and the other for Android users.
The use of zero-day operations and complex infrastructure is not in itself a sign of sophistication, but shows an above-average ability by a professional team of hackers. Combined with the robustness of the code of attack – which has chained multiple exploits in an effective way – the campaign proves that it was carried out by a “very sophisticated actor”.
“These operating chains are designed for efficiency and flexibility through their modularity,” wrote a researcher on the Google Project Zero research team. “They are complex, well-designed codes with a variety of new methods of operation, mature operation, sophisticated and calculated post-operation techniques and large volumes of anti-analysis and targeting controls. We believe that teams of experts have designed and developed these operating chains. ”
The modularity of payloads, interchangeable operating chains and the registration, targeting and maturity of the operation also differentiate the campaign, the researcher said.
The four zero days exploited were:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed in February 2020)
- CVE-2020-0938 – Font vulnerability on Windows (fixed in April 2020)
- CVE-2020-1020 – Font Vulnerability on Windows (fixed in April 2020)
- CVE-2020-1027 – Windows CSRSS vulnerability (fixed in April 2020)
The attackers managed to execute the code remotely by exploiting Chrome zero-day and several recently fixed Chrome vulnerabilities. All days zero were used against Windows users. None of the attack chains targeting Android devices have been exploited for zero days, but Project Zero researchers said it is likely that the attackers will have Android for zero days.
In total, Project Zero published six tranches detailing the exploitations and post-exploitation payloads discovered by the researchers. Other parts feature an infinite Chrome bug, Chrome exploits, Android exploits, post-Android payloads, and Windows exploits.
The intent of the series is to help the security community at large more effectively combat complex malware operations. “We hope that this series of blog posts will give others an in-depth look at the exploitation of a real-world, mature, and probably well-resourced actor,” Project Zero researchers wrote.
This story originally appeared on Ars Technica, a reliable source for technology news, technology policy analysis, reviews and more.
More wonderful stories