Google’s Project Zero research team has detailed a sophisticated hacking operation it discovered last year which was aimed at owners of Windows and Android devices. The watering hole operation exploited vulnerabilities in Windows and Chrome in order to install malware on devices.
The researchers said they discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution, including zero day flaws. For Android, the exploit chains used publicly known n-day exploits, Google said.
The team believes that based on the campaign’s sophistication the threat actor behind it likely had access to Android zero days, however, they did not find any such exploits during their investigation.
The researchers were able to extract contents of the servers, including:
Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.
Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.
A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.
As for the Chrome zero days, they were as follows:
CVE-2020-6418 - Chrome Vulnerability in TurboFan (fixed February 2020)
CVE-2020-0938 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1020 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1027 - Windows CSRSS Vulnerability (fixed April 2020)
“We understand this attacker to be operating a complex targeting infrastructure, though it didn't seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all),” the researchers said.
The analysis of exploit chains revealed that they are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks, likely created by skilled developers.
Google did not share any details regarding the attackers, scope of this campaign, or type of victims targeted.