Google researchers have done that detailed a sophisticated hacking operation that exploited Chrome and Windows vulnerabilities to install malware on Android and Windows devices.
Some of the exploitations were zero days, meaning they were targeted at vulnerabilities that at the time were unknown to Google, Microsoft, and most external researchers. (Both companies have fixed security flaws.) Hackers delivered the exploits through hole attacks, which compromise sites frequented by targets of interest and fit sites with code that installs malware on visitors’ devices. Breast-trapped sites made use of two operating servers, one for Windows users and the other for Android users.
The use of zero-day operations and complex infrastructure is not in itself a sign of sophistication, but it does show an above-average skill of a professional team of hackers. Combined with the robustness of the code of attack – which chained multiple feats in an efficient way – the campaign shows that it was carried out by a “very sophisticated actor”.
“These operating chains are designed for efficiency and flexibility through their modularity,” wrote a researcher on Google’s Project Zero research team. “They are a complex and well-designed code with a variety of new methods of exploitation, mature register, sophisticated and calculated techniques of postexploitation, and high volumes of controls of analysis and of orientation. We believe that teams of experts have designed and developed these chains of exploitation. “
The modularity of payloads, interchangeable operating chains and the record, orientation and maturity of the operation also differentiate the campaign, the researcher said.
The four zero days exploited were:
- CVE-2020-6418: Chrome vulnerability in TurboFan (fixed in February 2020)
- CVE-2020-0938: Font vulnerability in Windows (fixed in April 2020)
- CVE-2020-1020: Font vulnerability in Windows (fixed in April 2020)
- CVE-2020-1027: Windows CSRSS vulnerability (fixed in April 2020)
The attackers obtained remote execution of the code by exploiting the zero-day Chrome vulnerabilities and several patches recently. Every day zero was used against Windows users. None of the attack chains targeting Android devices exploded on zero days, but Project Zero researchers said the attackers are likely to have Android zero days at their disposal.
In total, Project Zero published six installments detailing the useful and post-exploitation managements that the researchers found. Other parts describe an infinite Chrome bug, Chrome exploits, Android exploits, post-Android payloads, and Windows exploits.
The intent of the series is to help the general security community more effectively combat complex malware operations. “We hope that this series of blog posts will provide others with an in-depth look at the exploitation of a real, mature, and presumably resourceful actor,” Project Zero researchers wrote.
This story originally appeared on Ars Technica, a trusted source for technology news, technology policy analysis, reviews and more.
Bigger cable stories