Image: Google Project Zero
Google today released a six-part report outlining a sophisticated hacking action that the company detected in early 2020, targeting owners of both Android and Windows devices.
The attacks were carried out via two exploit servers that delivered different use chains via watering hole attacks, Google said.
Also: Best VPNs
“One server targeted Windows users, and the other on Android,” said Project Zero, one of Google’s security teams, in the first of six blog posts.
Google said both servers in use used Google Chrome vulnerabilities to initially gain a foothold on victim devices. Once an initial access point was established in the user’s browsers, attackers used an operating system level to gain more control over the victim’s devices.
The exploitation chains included a combination of vulnerabilities between zero and n day, where zero-day refers to errors that the software manufacturers unknown, and n-day refers to errors that were patched but still exploited in nature.
All in all, Google said that the exploit servers contain the following:
- Four “renderer” errors in Google Chrome, one of which was another 0-day discovery.
- Two sandbox escapes exploit three vulnerabilities in the Windows operating system.
- And an “escalation outfit for privileges” consisting of publicly known n-day benefits for older versions of the Android operating system.
The four zero days, all patched in the spring of 2020, were as follows:
Google said that although they found no evidence of Android zero-day operations offered on the exploit servers, its security investigators believe that the threat actor probably also had access to Android zero days, but that it is unlikely to be offered. on the servers when the researchers discovered it.
Google: Invitation Chains Were Intricate And Well-Designed
In general, Google described the use chains as ‘designed for efficiency and flexibility by their modularity’.
“It’s a complex, intricate code with a variety of new mining methods, mature logging, sophisticated and calculated post-exploitation techniques and a large amount of anti-analytics and target checks,” Google said.
“We believe teams of experts have designed and developed these exploitation chains,” but Google does not provide further information on the attackers or the type of victims they targeted.
(I mean, TBH, you can probably pretty intelligently guess who would do it. You can probably count the number of actors in the world who make the effort to use all aspects of professionalism on one side. With the fingers left over. )
Brian in Pittsburgh (@arekfurt) 12 January 2021
Along with its introductory blog post, Google also published reports using a “infinite error” Chrome used in the attacks, the Chrome exploitation chains, the Android exploitation chains, steps to exploit on Android devices and the Windows exploitation chains .
The details provided should enable other security vendors to identify attacks on their customers and track down victims and other similar attacks carried out by the same threat actor.
Article title was updated shortly after publication and changes the term “massive” to “sophisticated”, as there is no information on the scope of this operation to support the initial wording.