Mission Zero, Google’s zero-day bug-hunting workforce, found a bunch of hackers that used 11 zero-days in assaults concentrating on Home windows, iOS, and Android customers inside a single 12 months.
The Mission Zero workforce revealed that the hacking group behind these assaults ran two separate campaigns, in February and October 2020.
This month’s report showcases the usage of seven zero-days after a earlier one revealed in January showed how four zero-days had been used along with n-day exploits to hack potential targets.
Simply as earlier than, the attackers used a few dozen web sites internet hosting two exploit servers, every of them concentrating on iOS and Home windows or Android customers.
“In our testing, each of the exploit servers existed on all the found domains,” Mission Zero workforce member Maddie Stone said.
“After preliminary fingerprinting (showing to be based mostly on the origin of the IP deal with and the user-agent), an iframe was injected into the web site pointing to one of many two exploit servers.”
All in all, whereas analyzing the October 2020 marketing campaign, the Mission Zero researchers discovered:
- one full exploit chain concentrating on absolutely patched Home windows 10 utilizing Google Chrome
- two partial chains concentrating on 2 completely different absolutely patched Android gadgets working Android 10 utilizing Google Chrome and Samsung Browser
- a number of RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs current as much as iOS 14.1)
“When mixed with their earlier 2020 operation, the actor used at the least 11 0-days in lower than a 12 months,” Stone added.
The 11 zero-days used to construct the exploit chains throughout final 12 months assaults embody:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan (February 2020)
- CVE-2020-0938 – Font Vulnerability on Home windows (February 2020)
- CVE-2020-1020 – Font Vulnerability on Home windows (February 2020)
- CVE-2020-1027 – Home windows CSRSS Vulnerability (February 2020)
- CVE-2020-15999 – Chrome Freetype heap buffer overflow (October 2020)
- CVE-2020-17087 – Home windows heap buffer overflow in cng.sys (October 2020)
- CVE-2020-16009 – Chrome sort confusion in TurboFan map deprecation (October 2020)
- CVE-2020-16010 – Chrome for Android heap buffer overflow (October 2020)
- CVE-2020-27930 – Safari arbitrary stack learn/write through Sort 1 fonts (October 2020)
- CVE-2020-27950 – iOS XNU kernel reminiscence disclosure in mach message trailers (October 2020)
- CVE-2020-27932 – iOS kernel sort confusion with turnstiles (October 2020)
Every of the found exploits revealed an skilled understanding of the vulnerability being exploited and exploit growth.
Moreover, in the case of the Chrome Freetype zero-day, the exploitation technique utilized by this hacking group was new to Mission Zero.
“Exploitation apart, the modularity of payloads, interchangeable exploitation chains, logging, concentrating on, and maturity of this actor’s operation set these aside,” Mission Zero added.
“The method to determine set off the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation strategies had been diversified and time-consuming to determine.”