Google researchers have outlined a sophisticated hack that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the benefits were zero days, meaning they targeted vulnerabilities that were unknown to Google, Microsoft, and most outside researchers at the time. (Both companies have since resolved the security flaws.) The hackers exploited the abuse through watertight attacks, endangering websites that are of interest to the targets, and hacking the websites with code that installs malware on visitors’ devices. The booby-trapped sites used two exploit servers, one for Windows users and the other for Android users.
The use of zero-day exploits and complex infrastructure is not in itself a sign of sophistication, but it shows an above-average skill by a professional team of hackers. Combined with the robustness of the attack code – which effectively tied multiple operations together – the campaign shows that it was carried out by a ‘highly sophisticated actor’.
“These utility chains are designed for efficiency and flexibility through their modularity,” wrote a researcher from Google’s Project Zero research team. ‘They are well-designed, complex code with a variety of new mining methods, mature logging, sophisticated and calculated post-exploitation techniques, and a large amount of anti-analysis and target checks. We believe that expert teams have designed and developed these exploitation chains. ”
The researcher said that the modular use of the payloads, the interchangeable use chains and the recording, target and maturity of the operation distinguish the campaign.
The four zero days exploited were:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan (Fixed February 2020)
- CVE-2020-0938 – Font Vulnerability in Windows (Compiled in April 2020)
- CVE-2020-1020 – Font Vulnerability in Windows (Compiled in April 2020)
- CVE-2020-1027 – Windows CSRSS Security Leak (Fixed April 2020)
The attackers obtained remote code execution using the Chrome zero-day and several recent Chrome vulnerabilities. All the zero days were used against Windows users. None of the attack chains targeted at Android devices utilized zero days, but Project Zero researchers said the attackers probably had Android zero days at their disposal.
In total, Project Zero published six episodes in which the researchers found how they utilized the loads and post-exploitation. Other sections provide a description of a Chrome infinity problem, the Chrome exploits, the Android exploits, the post-Android exploitation tax, and the Windows exploits.
The aim of the series is to help the security community in general to combat complex malware operations more effectively. “We hope this blog post series gives others an in-depth look at exploiting an actual, mature and presumably well-available actor,” wrote researchers from Project Zero.
This story originally appeared on Ars Technica, a trusted source for technology news, technical policy analysis, reviews, and more.
More great wired stories