Google Project Zero has published an update detailing seven more in-the-wild exploits used by a hacker group in a sustained campaign targeting Windows, Android, and iOS users.
In January, the Google’s research team revealed a sophisticated hacking operation that exploited vulnerabilities in Windows and Chrome in order to install malware on devices. The campaign, dating back to February 2020, relied on luring users to malicious websites pointing to exploit servers.
The researchers discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution, including zero day flaws. For Android, the exploit chains used publicly known n-day exploits.
At the time, Google identified four zero-day vulnerabilities used in the observed attacks:
CVE-2020-6418 - Chrome Vulnerability in TurboFan (fixed February 2020)
CVE-2020-0938 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1020 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1027 - Windows CSRSS Vulnerability (fixed April 2020)
In a blog post published Thursday Google' researcher Maddie Stone said that the team discovered a series of attacks that appear to be the next iteration of the hacking operation discovered in February last year. The attacks involved a couple dozen websites redirecting to two exploit servers. A summary of the two exploit servers is below:
Exploit server #1:
Initially responded to only iOS and Windows user-agents
Remained up and active for over a week from when we first started pulling exploits
Replaced the Chrome renderer RCE with a new v8 0-day (CVE-2020-16009) after the initial one (CVE-2020-15999) was patched
Briefly responded to Android user-agents after exploit server #2 went down (though we were only able to get the new Chrome renderer RCE)
Exploit server #2:
Responded to Android user-agents
Remained up and active for ~36 hours from when we first started pulling exploits
In our experience, responded to a much smaller block of IP addresses than exploit server #1
“All of the platforms employed obfuscation and anti-analysis checks, but each platform's obfuscation was different. For example, iOS is the only platform whose exploits were encrypted with ephemeral keys, meaning that the exploits couldn't be recovered from the packet dump alone, instead requiring an active MITM on our side to rewrite the exploit on-the-fly,” Maddie Stone noted.
“These operational exploits also lead us to believe that while the entities between exploit servers #1 and #2 are different, they are likely working in a coordinated fashion. Both exploit servers used the Chrome Freetype RCE (CVE-2020-15999) as the renderer exploit for Windows (exploit server #1) and Android (exploit server #2), but the code that surrounded these exploits was quite different. The fact that the two servers went down at different times also lends us to believe that there were two distinct operators.”
As for the zero-day vulnerabilities exploited in this campaign, they are as follows:
CVE-2020-15999 - Chrome Freetype heap buffer overflow
CVE-2020-17087 - Windows heap buffer overflow in cng.sys
CVE-2020-16009 - Chrome type confusion in TurboFan map deprecation
CVE-2020-16010 - Chrome for Android heap buffer overflow
CVE-2020-27930 - Safari arbitrary stack read/write via Type 1 fonts
CVE-2020-27950 - iOS XNU kernel memory disclosure in mach message trailers
CVE-2020-27932 - iOS kernel type confusion with turnstiles
“The vulnerabilities cover a fairly broad spectrum of issues - from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial,” the researcher said.