Google researchers have described a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the exploits were zero-days, meaning they targeted vulnerabilities unknown to Google, Microsoft, and most third-party researchers at the time (both companies have since fixed the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites visited by the intended targets and supply the sites with code that installs malware on visitors’ devices. The boobytrap sites used two exploit servers, one for Windows users and the other for Android users.
Not your average hackers
The use of zero-days and complex infrastructure is not in itself a sign of sophistication, but it shows above-average skill of a professional team of hackers. Combined with the robustness of the attack code – which linked multiple exploits together in an efficient manner – the campaign shows that it was executed by a “highly sophisticated actor”.
“These exploit chains are designed for efficiency and flexibility through their modularity,” wrote a researcher from the Google Project Zero exploit research team. “It is well-designed, complex code with a variety of new exploitation methods, mature logging, advanced and calculated post-exploitation techniques, and large amounts of anti-analysis and targeting controls. We believe teams of experts designed and developed these exploit chains.”
The modularity of the payloads, the interchangeable exploit chains, and the logging, targeting and maturity of the operation also set the campaign apart, the researcher said.
The four zero-days used were:
- CVE-2020-6418: Chrome Vulnerability in TurboFan (Fixed Feb 2020)
- CVE-2020-0938—Vulnerable Font in Windows (Fixed April 2020)
- CVE-2020-1020—Vulnerable Font in Windows (Fixed April 2020)
- CVE-2020-1027: Windows CSRSS Vulnerability (Resolved April 2020)
The attackers obtained remote code execution by exploiting the Chrome zero-day and several recently patched Chrome vulnerabilities. All zero-days were used against Windows users. None of the attack chains targeting Android devices used zero-days, but the Project Zero researchers said it was likely the attackers had Android zero-days at their disposal.
The diagram below provides a visual overview of the campaign, which took place in the first quarter of last year:
In total, Project Zero published six volumes detailing the exploits and post-exploit payloads the researchers found. Other parts outline a Chrome infinity bug, the Chrome exploits, the Android exploits, the post-Android exploit payloads, and the Windows exploits.
The intent of the series is to help the security community at large fight complex malware operations more effectively. “We hope this series of blog posts provides others with an in-depth look at exploitation by a real, mature and presumably well-equipped actor,” Project Zero researchers wrote.