The Internet — Google has uncovered an advanced hacking operation that relied on vulnerabilities in Windows and Chrome, allowing the installation of malware on Android and Windows devices.
Some of these were zero-day exploits. That means that they targeted cracks in the software’s armor before Google and Microsoft knew they existed. Microsoft and Google have both patched the security flaws. Watering-Hole attacks facilitated the exploit. So, the website has code that installs malware on a user’s system.
This attack is not unique. There are many pieces of malware that have used zero-day exploits. It is, however, an indicator of a relatively high level of skill. The code used was comprehensive and very sophisticated. It chained together multiple exploits in a very efficient way.
These exploit chains are designed for efficiency and flexibility through their modularity. They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains.Google’s Project Zero Research Team
Other advanced elements of the hacking campaign include payloads modularity, exploit chain interchangeability and a particularly sophisticated level of targeting and logging.
The 4 Zero-Day Exploited used:
- Chrome Vulnerability – CVE-2020-6418 in TurboFan – Fixed in February of 2020
- Font Vulnerability – CVE-2020-0938 on Windows – Fixed in April of 2020
- Font Vulnerability – CVE-2020-1020 on Windows – Fixed in April of 2020
- Windows CSRSS Vulnerability – CVE-2020-1027 – Fixed in April of 2020
The hackers were granted access to remotely execute code by exploiting these zero-day exploits in Chrome. All of the Chrome attacks were specifically designed for Windows users. There is no evidence that the attacks targeted Android devices using zero-day exploits. Project Zero researchers, however, mentioned that the hackers possibly used Android zero-day exploits. They more than likely did.
The attack was a sneaky one. Researchers, however, were able to detail the hacks and post-hack payloads after Project Zero published the six installments. The report also outlines a Chrome ‘infinity bug’, the Chrome exploits themselves, the Android exploits, and the post-hack Android payloads. It also details the Windows exploits.
The intention here is to assist the security community.
We hope this blog post series provides others with an in-depth look at exploitation from a real-world, mature, and presumably well-resourced actor.Project Zero Researchers