FREMONT, CA: Google has published the first part of a six-part report, describing a sophisticated hacking operation that targeted owners of both Windows and Android devices. The tech giant spotted this hacking operation in early 2020, as a part of its Project Zero initiative, which is aimed to detect zero-day exploits in the wild.
The attacks were using two exploit servers spreading different exploit chains via watering hole attacks. Both were using exploits as initial remote code execution. While one server targeted Windows, the other targeted Android users.
The exploits of Windows and Chrome included zero-days. However, in the case of Android, the exploit used publicly known n-day exploits. Based on the threat actor's sophistication, they are believed to have access to Android zero-days as well, though it was not hosted on the server.
The exploit servers included four renderer bugs in Google Chrome, one was zero-day at the time of its discovery. Two sandbox escape exploits utilized three zero-day vulnerabilities in the Windows OS. In addition, a privilege escalation kit was used that consisted of publicly known n-day exploits for older versions of the Android OS. The four zero-days discovered in these chains are CVE-2020-6418, CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027, which were fixed between February to April 2020.
Recently, Microsoft patched a Defender antivirus zero-day vulnerability (CVE-2021-1647) that was being exploited in the wild. In addition, a patch was released to fix a zero-day LPE vulnerability in the Windows PsExec management tool.
The recent attacks were well-engineered and had complex code with a mixture of novel exploitation methods. To avoid any risks from such threats, experts suggest organizations take proactive measures such as regularly patching up software, using reliable anti-malware, deploying a Host Intrusion Protection System (HIPS), and using only essential applications on business devices.