Google Security researchers revealed four zero-day vulnerabilities in popular web browsers they discovered earlier in this year that were exploited in the wild.
Google’s two security arms, Google Threat Analysis Group (TAG) and Google Project Zero, have discovered four flaws in Google’s Chrome browser, Internet Explorer, and WebKit engine used by Apple’s Safari. The flaws were exploited by attackers who gained unauthorized access to sensitive information.
Earlier this year, Google researchers discovered four actively exploited zero-day exploits that targeted CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit.
Google published root cause analysis for all four zero-days:
- CVE-2021-1879: Use-After-Free in QuickTimePluginReplacement
- CVE-2021-21166: Chrome Object Lifecycle Issue in Audio
- CVE-2021-30551: Chrome Type Confusion in V8
- CVE-2021-33742: Internet Explorer out-of-bounds write in MSHTML.
Google Group’s Director Shane Huntley said that the exploits are probably tied to a commercial surveillance vendor and a Russian APT:
“We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT,” Google Threat Analysis Group’s Director Shane Huntley said.
He also said, overall, there has been an uptick in the number of 0-day exploits in 2021:
“Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020. While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend,” Google’s researcher added.
While the developer of these zero-day exploits for Chrome and Internet Explorer sold them to other hackers, they were not used in any large campaigns.
However, according to Google, the Safari flaw was used in a phishing campaign abusing LinkedIn Messaging when attackers targeted government officials in western European countries. Researchers believe the attackers were part of a Russian government-backed actor that targeted older iOS devices.
Google didn’t link the exploit to a specific threat group. But Microsoft has identified the culprit as Nobelium, which is a state-sponsored group that hit SolarWinds in a last year’s supply-chain attack.
Security company Volexity linked the recent attacks to the Russian operators backed by the Russian Foreign Intelligence Service (SVR) based on the tactics used in previous campaigns.
The attackers abused WebSocket to collect authentication cookies from various websites, such asGoogle, Microsoft, LinkedIn, Facebook, and Yahoo and send them to an attacker-controlled IPs.