Google’s zero-day threat-hunting team Project Zero continue to call attention to a sophisticated APT group attacking multiple platforms. Malware hunters at Google said a group of hackers used 11 zero-day vulnerabilities in attacks on Windows, iOS, and Android devices over the past year.
It is unknown who is behind these attacks, but the hacking group ran two separate campaigns, in February and October 2020, the Project Zero team revealed.
This month Project Zero released a report describing seven zero-days. Previously, in January, it published a report detailing four zero-days that were used in conjunction with n-day exploits.
According to the new report, the attackers had dozens of websites and two exploit servers to target iOS, Windows, or Android users. They redirected specific victims to a pair of exploit servers delivering malware on the victim’s device.
“In our testing, both of the exploit servers existed on all of the discovered domains,” Project Zero team member Maddie Stone said. “After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers.”
Stone mentioned they saw novel obfuscation and anti-analysis check the attackers used in their 2020 campaign on iOS devices. The exploits were encrypted with ephemeral keys, so that “the exploits couldn’t be recovered from the packet dump alone,” but instead required “an active MITM on our side to rewrite the exploit on-the-fly.”
The 11 zero-days used to build the exploit chains during last year attacks include:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan (February 2020)
- CVE-2020-0938 – Font Vulnerability on Windows (February 2020)
- CVE-2020-1020 – Font Vulnerability on Windows (February 2020)
- CVE-2020-1027 – Windows CSRSS Vulnerability (February 2020)
- CVE-2020-15999 – Chrome Freetype heap buffer overflow (October 2020)
- CVE-2020-17087 – Windows heap buffer overflow in cng.sys (October 2020)
- CVE-2020-16009 – Chrome type confusion in TurboFan map deprecation (October 2020)
- CVE-2020-16010 – Chrome for Android heap buffer overflow (October 2020)
- CVE-2020-27930 – Safari arbitrary stack read/write via Type 1 fonts (October 2020)
- CVE-2020-27950 – iOS XNU kernel memory disclosure in mach message trailers (October 2020)
- CVE-2020-27932 – iOS kernel type confusion with turnstiles (October 2020)
Project Zero said the attackers showed an expert understanding of the vulnerabilities and exploit development.
Plus, the team discovered a new exploitation method used by this hacking group in Chrome Freetype heap buffer overflow attacks.
“Exploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting, and maturity of this actor’s operation set these apart,” Project Zero added.