Google’s Threat Analysis Group (TAG) has shared additional information regarding four zero-day vulnerabilities discovered by the team earlier this year. The four zero-days were used as part of three different targeted malware campaigns exploiting bugs in Google Chrome, Internet Explorer and WebKit, the browser engine implemented in Apple's Safari.
The researchers said that three of these exploits were developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors.
The researchers said that CVE-2021-21166 and CVE-2021-30551 were used in a campaign, which they believe was targeting victims in Armenia. The two zero-day exploits were targeting the latest versions of Chrome on Windows. The campaign involved malicious emails containing a link to an attacker-controlled domain, which redirected visitors to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server.
“The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins, and available MIME types. This information was collected by the attackers to decide whether or not an exploit should be delivered to the target,” the team explained.
The second malware campaign, also targeting users in Armenia, involved MHT files embedding an exploit for CVE-2021-26411, which automatically opened in Internet Explorer when double clicked by the user.
“Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world,” the researchers said.
In March 2021, TAG discovered another malicious campaign likely conducted by a Russia-linked cyberespionage group that used the CVE-2021-1879 flaw in WebKit.
“In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads. The campaign targeting iOS devices coincided with campaigns from the same actor targeting users on Windows devices to deliver Cobalt Strike,” according to TAG.
The final payload exploiting CVE-2021-1879 would turn off Same-Origin-Policy protections in order to steal authentication cookies from popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP.
“The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7,” the researchers said.
The TAG team also notes that halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020.