15 July 2021

Google details four zero-days used in three different malware campaigns


Google details four zero-days used in three different malware campaigns

Google’s Threat Analysis Group (TAG) has shared additional information regarding four zero-day vulnerabilities discovered by the team earlier this year. The four zero-days were used as part of three different targeted malware campaigns exploiting bugs in Google Chrome, Internet Explorer and WebKit, the browser engine implemented in Apple's Safari.

The four zero-day vulnerabilities are: CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit (Safari).

The researchers said that three of these exploits were developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors.

The researchers said that CVE-2021-21166 and ​​CVE-2021-30551 were used in a campaign, which they believe was targeting victims in Armenia. The two zero-day exploits were targeting the latest versions of Chrome on Windows. The campaign involved malicious emails containing a link to an attacker-controlled domain, which redirected visitors to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server.

“The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins, and available MIME types. This information was collected by the attackers to decide whether or not an exploit should be delivered to the target,” the team explained.

The second malware campaign, also targeting users in Armenia, involved MHT files embedding an exploit for CVE-2021-26411, which automatically opened in Internet Explorer when double clicked by the user.

“Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world,” the researchers said.

In March 2021, TAG discovered another malicious campaign likely conducted by a Russia-linked cyberespionage group that used the CVE-​2021-1879 flaw in WebKit.

“In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads. The campaign targeting iOS devices coincided with campaigns from the same actor targeting users on Windows devices to deliver Cobalt Strike,” according to TAG.

The final payload exploiting CVE-​2021-1879 would turn off Same-Origin-Policy protections in order to steal authentication cookies from popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP.

“The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7,” the researchers said.

The TAG team also notes that halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020.

Back to the list

Latest Posts

Malicious actors target Kubernetes clusters via Argo Workflows

Malicious actors target Kubernetes clusters via Argo Workflows

In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner.
26 July 2021
Kaseya obtains a decryptor for victims of the REvil ransomware attack

Kaseya obtains a decryptor for victims of the REvil ransomware attack

It's not clear, if the company paid any ransom.
23 July 2021
Chinese cyber-spies use hacked routers in attacks against French organizations

Chinese cyber-spies use hacked routers in attacks against French organizations

The hackers are hijacking home routers to build a proxy botnet in order to hide the origins of their attacks.
22 July 2021