Google researchers have detailed a sophisticated hack that exploits vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the exploits were zero a day, meaning they were targeting vulnerabilities that were unrecognized by Google, Microsoft, and most outside researchers at the time (both companies have fixed the security flaws) the hackers presented. The vulnerability is through an in-depth attack that frequents the targeted site and binds the site with malware-installed code on a visitor̵7;s device. The boobytrapped site takes advantage of two attack servers, one for the user. Windows and another for Android users.
Not your typical hacker.
The use of day centers and complex infrastructure is not a sign of complexity. Rather, it is a show of above average skills by a professional hacker team. Combined with the strength of the attack code, which effectively ties together many exploits, the campaign has been shown to be run by “Highly sophisticated performers”
“These exploitation chains are designed for efficiency and resilience through fragmentation,” wrote a researcher at Google’s Project Zero research team. A wide range of new exploits, complete logging, complex and computable post-exploitation techniques, and numerous anti-analysis and targeting investigations. We believe that a team of experts has designed and developed these exploitation chains. ”
The modularity of payloads, interchangeable exploitation chains and logging, targeting and completeness of operations also set the campaign apart.
The four exploited days were:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan (Modified Feb 2020)
- CVE-2020-0938 – Windows Font Vulnerability (fixed April 2020)
- CVE-2020-1020 – Windows Font Vulnerability (Patched April 2020)
- CVE-2020-1027 – Windows CSRSS Vulnerability (Patched April 2020)
The attacker was able to execute the code remotely, taking advantage of the Chrome zero-day and the recently patched Chrome vulnerabilities, all of the Day Zero was applied to Windows users without any network of attacks. Target Android devices that take advantage of day zero. But Project Zero researchers say it’s possible the attacker had zero Android at the disposal.
The diagram below gives an overview of the campaigns that took place in the first quarter of last year:
In total, Project Zero has published six installments detailing the exploits and post-exploits the researchers found, the others highlighting the Chrome infinity flaws, the Chrome exploits, the Android exploits, the exploits. Exploits after Android and Windows exploits
The intention of this series is to help the security community as a whole more effectively combat the execution of complex malware. “We hope this series of blog posts will help. Others have gained insights into the exploitation of real-world actors, are mature, and likely have good resources, ”wrote Project Zero researchers.