19 March 2021

Threat actor exploited at least 11 zero-days in 2020


Threat actor exploited at least 11 zero-days in 2020

Google Project Zero has published an update detailing seven more in-the-wild exploits used by a hacker group in a sustained campaign targeting Windows, Android, and iOS users.

In January, the Google’s research team revealed a sophisticated hacking operation that exploited vulnerabilities in Windows and Chrome in order to install malware on devices. The campaign, dating back to February 2020, relied on luring users to malicious websites pointing to exploit servers.

The researchers discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution, including zero day flaws. For Android, the exploit chains used publicly known n-day exploits.

At the time, Google identified four zero-day vulnerabilities used in the observed attacks:

  • CVE-2020-6418 - Chrome Vulnerability in TurboFan (fixed February 2020)

  • CVE-2020-0938 - Font Vulnerability on Windows (fixed April 2020)

  • CVE-2020-1020 - Font Vulnerability on Windows (fixed April 2020)

  • CVE-2020-1027 - Windows CSRSS Vulnerability (fixed April 2020)

In a blog post published Thursday Google' researcher Maddie Stone said that the team discovered a series of attacks that appear to be the next iteration of the hacking operation discovered in February last year. The attacks involved a couple dozen websites redirecting to two exploit servers. A summary of the two exploit servers is below:

Exploit server #1:

  • Initially responded to only iOS and Windows user-agents

  • Remained up and active for over a week from when we first started pulling exploits

  • Replaced the Chrome renderer RCE with a new v8 0-day (CVE-2020-16009) after the initial one (CVE-2020-15999) was patched

  • Briefly responded to Android user-agents after exploit server #2 went down (though we were only able to get the new Chrome renderer RCE)

Exploit server #2:

  • Responded to Android user-agents

  • Remained up and active for ~36 hours from when we first started pulling exploits

  • In our experience, responded to a much smaller block of IP addresses than exploit server #1

“All of the platforms employed obfuscation and anti-analysis checks, but each platform's obfuscation was different. For example, iOS is the only platform whose exploits were encrypted with ephemeral keys, meaning that the exploits couldn't be recovered from the packet dump alone, instead requiring an active MITM on our side to rewrite the exploit on-the-fly,” Maddie Stone noted.

“These operational exploits also lead us to believe that while the entities between exploit servers #1 and #2 are different, they are likely working in a coordinated fashion. Both exploit servers used the Chrome Freetype RCE (CVE-2020-15999) as the renderer exploit for Windows (exploit server #1) and Android (exploit server #2), but the code that surrounded these exploits was quite different. The fact that the two servers went down at different times also lends us to believe that there were two distinct operators.”

As for the zero-day vulnerabilities exploited in this campaign, they are as follows:

“The vulnerabilities cover a fairly broad spectrum of issues - from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial,” the researcher said.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024