Google has released new information about two exploit servers used by a sophisticated threat actor to target Windows, iOS, and Android users.
Google’s malware researchers are continuing to raise awareness about a sophisticated APT community that used at least 11 zero-day exploits in less than a year to perform mass surveillance through a number of platforms and computers.
The group has used “watering hole” attacks to direct unique targets to two exploit servers that distribute malware to Windows, iOS, and Android devices.
The ability to hack through platforms and the willingness to use nearly a dozen zero-day exploits in less than a year indicates a well-resourced attacker with access to hacking tools and exploits from similar teams.
Google Project Zero researcher Maddie Stone released further information on the exploit chains found in the wild last October in a new blog post, warning that the current discovery is linked to a February 2020 campaign that used several zero-days.
According to Stone, the actor who ran for President in February 2020 went silent for a few months before reappearing in October with hundreds of websites redirecting to an exploit server.
“As soon as we started looking into it, we found connections to a second exploit server on the same website. After initial fingerprinting (which seemed to be focused on the root of the IP address and the user-agent), an iframe pointing to one of the two exploit servers was inserted into the website.
Both exploit servers were found on all of the discovered domains during our testing,” Stone explained.
The first exploit server was active for at least a week after Google’s researchers began retrieving the hacking tools, and it only replied to Apple iOS and Microsoft Windows user-agents. After the initial bug was patched, this server contained exploits for a remote code execution bug in the Google Chrome rendering engine as well as a v8 zero-day.
According to Stone, the first server only replied briefly to Android user-agents, implying that vulnerabilities existed for all major platforms.
A second exploit server that responded to Android user-agents and remained active for at least 36 hours was also flagged by Google. On Android devices, this server contained malware cocktails that exploited zero-day vulnerabilities in the Chrome and Samsung browsers.
On iOS computers, the attackers used a special obfuscation and anti-analysis check, “meaning that the exploits couldn’t be retrieved from the packet dump alone, instead requiring an active MITM on our side to rewrite the exploit on-the-fly,” according to Stone.
Multiple groups may be exchanging resources and vulnerabilities in these campaigns, according to Stone.
“The renderer exploit for Windows (exploit server #1) and Android (exploit server #2) was the Chrome Freetype RCE (CVE-2020-15999), but the code that accompanied these exploits was somewhat different. The fact that the two servers went down at different times also suggests that there were two separate operators,” Stone added.
Stone and the Google Project Zero team were able to find one complete exploit chain for Chrome on Windows, two partial exploit chains for completely patched Android devices running Chrome and the Samsung Browser, and remote code-execution exploits for iOS 11 and iOS 13.
The APT community is also abundant with the types of vulnerabilities used in exploit chains, according to Stone’s study. “The flaws span a wide range of problems, from a modern JIT error to a huge cache of font bugs,” says the paper. “Overall, each of the exploits demonstrated a mastery of exploit production and the vulnerability being exploited,” she said.
“The exploitation approach used in the Chrome Freetype 0-day was new to Project Zero. It would have taken a long time to figure out how to exploit the iOS kernel privilege vulnerability. She said, “The obfuscation techniques were varied and time-consuming to find out.”