Now patched, the exploits took advantage of bugs in Windows, Chrome, and older versions of Android though watering hole attacks, says Google.
Google’s Project Zero is an initiative aimed at uncovering zero-day vulnerabilities and other bugs that could be exploited to infect systems and devices with malware. Now the group has revealed a string of vulnerabilities that might have affected a large number of users had they not been patched.
In a series of blog posts published Tuesday, Google revealed that it discovered two malicious servers set to deliver different exploit campaigns through watering hole attacks. In such an attack, cybercriminals determine which websites are visited by different organizations or groups and then compromise those sites with malware hoping to infect the visitors.
One server caught by Google targeted Windows users, while the other server was aimed at Android users. Both servers used Google Chrome vulnerabilities to try to remotely execute code on affected devices. The exploits for Chrome and Windows included zero-day vulnerabilities, while the one for Android took advantage of n-day vulnerabilities.
A zero-day vulnerability is one that is newly discovered but is unknown to the vendor, and therefore no patch is yet available. An n-day vulnerability is one that is publicly known and possibly patched by the vendor but still exploitable.
N-day vulnerabilities can be more problematic as they quickly become common knowledge among hackers and cybercriminals. In some cases, the patch issued by the vendor also needs to be applied on the client side in order to mitigate the threat on a widespread basis.
Analyzing the hacker’s behavior, Google said it believes they had access to zero-day vulnerabilities in Android even though the Project Zero team didn’t find any. But the experts were able to extract the following details from the exploit servers:
- Renderer exploits for four bugs in Chrome, one of which was still a zero-day at the time of the discovery.
- Two sandbox escape exploits abusing three zero-day vulnerabilities in Windows.
- A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.
In some instances, the hackers used an exploit to capture the fingerprints of users inside the sandbox. In these cases, the attackers gathered a lot of data from the user’s own device before deciding whether or not to pursue the exploit. In other cases, the attackers opted to fully exploit a system without wasting any time.
In five follow-up blog posts, Google displays and describes the code used in these exploit attacks.
All the discovered zero-day exploits were patched last year by the appropriate vendors as detailed by the following CVEs (Common Vulnerabilities and Exposures).
- CVE-2020-6418—Chrome Vulnerability in TurboFan (fixed February 2020)
- CVE-2020-0938—Font Vulnerability on Windows (fixed April 2020)
- CVE-2020-1020—Font Vulnerability on Windows (fixed April 2020)
- CVE-2020-1027—Windows CSRSS Vulnerability (fixed April 2020)
“These exploit chains are designed for efficiency and flexibility through their modularity,” Google said in its blog post. “They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains.”