A team of advanced hackers exploited no fewer than 11 zero vulnerabilities in a nine-month campaign that uses websites to infect secret devices with Windows, iOS and Android, Google researcher said.
Using new exploitation and embezzlement techniques, mastering a wide range of vulnerability types and a complex delivery infrastructure, the group utilized four zeros in February 2020. The ability of the hackers to merge multiple utilities that completely patched Windows and Android devices led members of Google’s Project Zero and Threat Analysis Group to call the group ‘very sophisticated’.
Not over yet
Project Zero researcher Maddie Stone said on Thursday that in the eight months following the February attacks, the same group had exploited seven previously unknown issues, which this time remained in iOS. As was the case in February, the hackers took advantage of attacks by watering holes, endangering websites visited by interesting targets and adding code that installs malware on visitors’ devices.
In all of the attacks, the watering hole sites sent visitors to an extensive infrastructure that had different usage settings installed, depending on the devices and browsers that visitors use. While the two servers used in February only exploited Windows and Android devices, the later attacks also used devices with iOS. Below is a diagram of how it worked:
The ability to pierce advanced defense built into well-reinforced operating systems and fully patched applications – for example Chrome running on Windows 10 and Safari on iOSA – was proof of the group’s skill. Another testament was the group’s abundance zero days. After Google identified a code execution vulnerability that the attackers used in the Chrome renderer in February, the hackers quickly added a new code execution for the Chrome V8 engine.
In a blog post published Thursday, Stone writes:
The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a vast array of font errors. In general, each of the operations itself has shown an expert understanding of the exploitation of development and the vulnerability used. In the case of the Chrome Freetype 0-day, the exploitation method was new to Project Zero. The process of figuring out how to activate the iOS core privilege vulnerability was not trivial. The obscuration methods were varied and time consuming to figure out.
Google researchers gathered in total:
- 1 full chain-targeted to Windows 10 with Google Chrome
- 2 partial chains focusing on two different Android devices running Android 10 with Google Chrome and Samsung Browser, and
- RCE utilizes for iOS 11-13 and privilege escalation for iOS 13
The seven zero days were:
- CVE-2020-15999 – Chrome Freetype Heap Buffer Overflow
- CVE-2020-17087 – Windows Hope Buffer Overflow in cng.sys
- CVE-2020-16009 – Chrome confusion in TurboFan card attenuation
- CVE-2020-16010 – Chrome for Android Buffer Buffer
- CVE-2020-27930 – Safari arbitrary stack read / write via type 1 fonts
- CVE-2020-27950 – Disclosure of iOS XNU Core Memory in Mach Message Keys
- CVE-2020-27932 – confusion between iOS kernels and revolving gates
Piercing defense
The complex chain of abuse is necessary to break through low layers of defense built into modern operating systems and programs. Typically, the mining process is required to exploit code on a targeted device, to break the code from a browser’s security box, and to elevate rights so that the code can access sensitive parts of the operating system.
Thursday’s message provided no details about the group responsible for the attacks. It will be especially interesting to know if the hackers are part of a group already known to researchers and if it is a team that has never been seen before. Also useful would be information about the people targeted.
The importance of keeping programs and operating systems up to date and avoiding suspicious websites remains unchanged. Unfortunately, none of these things would have helped the victims hacked by this unknown group.