Google today released a six-part report describing a sophisticated hacking operation that the company discovered in early 2020, targeting owners of both Android and Windows devices.
The attacks were carried out via two exploit servers that provided different exploit chains via watering hole attacks, Google said.
Also: Best VPNs
“One server targeted at Windows users, the other targeted at Android,”
Google said both exploit servers used Google Chrome vulnerabilities to gain a first foothold on sacrificial devices. Once an initial entry point was established in the user’s browsers, attackers deployed an OS-level exploit to gain more control over the victim’s devices.
The exploitation chains included a combination of both zero-day and n-day vulnerabilities, with zero-day referring to errors unknown to software vendors and n-day referring to errors that have been patched but are still exploited in nature.
All in all, Google said that the exploit servers contained:
- Four “render” errors in Google Chrome, one of which was still a 0-day at the time of its discovery.
- Two sandbox escape exploits abuse of three 0-day vulnerabilities in Windows OS.
- And a “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android OS.
The four zero-days, all of which were patched in the spring of 2020, were as follows:
Google said that although they found no evidence of Android zero-day exploitation hosted on the exploit servers, security researchers believe that the threat actor probably also had access to Android zero-days, but probably did not host them on the servers when the researchers discovered it.
Google: Utilization chains were complex and well-developed
All in all, Google described the exploitation chains as “designed for efficiency and flexibility through their modularity.”
“They are well-developed, complex code with a number of new exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques and large amounts of anti-analytics and targeting control,” Google said.
“We believe expert teams have designed and developed these exploitation chains,” but Google stopped not giving other details about the attackers or the type of victims they targeted.
Along with its introductory blog post, Google has also published reports describing a Chrome “infinite bug” used in the attacks, the Chrome exploit chains, the Android exploit chains, step by step exploits on Android devices and the Windows exploit chains.
The details provided should allow other security providers to identify attacks on their customers and track down victims and other similar attacks carried out by the same threat actor.
The title of the article was updated shortly after publication and changed the term “massive” to “sophisticated”, as there is no information on the scope of this operation that supports the original wording.