Google researchers have detailed an advanced hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the exploits were zero-days, meaning they targeted vulnerabilities unknown to Google, Microsoft, and most third-party researchers at the time. (Both companies have since fixed the security flaws.) The hackers delivered the exploits through watering-hole attacks, which compromise sites visited by the targets and provide the sites with code that installs malware on visitors’ devices. The booby-trapped sites made use of two exploit servers, one for Windows users and the other for Android users.
Using zero-day exploits and complex infrastructure is not in itself a sign of sophistication, but it does demonstrate an above-average skill of a professional team of hackers. Coupled with the robustness of the attack code – which efficiently linked multiple exploits together – the campaign shows that it was executed by a “highly sophisticated actor”.
“These exploit chains are designed for efficiency and flexibility through their modularity,” wrote a researcher from the Google Project Zero research team. “They are well-designed, complex code with a variety of new exploitation methods, mature logging, advanced and computed post-exploitation techniques, and large amounts of anti-analytics and targeting controls. We believe teams of experts designed and developed these exploit chains. “
The modularity of the payloads, the interchangeable exploit chains and the logging, targeting and maturity of the operation also made the campaign special, the researcher said.
The four exploited zero days were:
- CVE-2020-6418 – Chrome vulnerability in TurboFan (fixed in February 2020)
- CVE-2020-0938 – Font Vulnerability on Windows (Fixed April 2020)
- CVE-2020-1020 – Font Vulnerability on Windows (Fixed April 2020)
- CVE-2020-1027 – Windows CSRSS Vulnerability (Fixed April 2020)
The attackers executed remote code by exploiting Chrome zero-day and several recently patched Chrome vulnerabilities. All zero days were used against Windows users. None of the attack chains targeting Android devices used zero days, but Project Zero researchers said it is likely that the attackers had Android zero days at their disposal.
In total, Project Zero published six episodes detailing the exploits and post-exploit payloads the researchers found. Other parts outline a Chrome infinite bug, the Chrome exploits, the Android exploits, the post Android exploits payloads and the Windows exploits.
The intent of the series is to help the security community at large to more effectively combat complex malware operations. “We hope this series of blog posts will give others an in-depth look at exploiting a real, mature, and presumably well-equipped actor,” the Project Zero researchers wrote.
This story originally appeared on Ars Technica, a trusted source for technology news, technology policy analysis, reviews and more.
More great WIRED stories