Hackers Used Zero-Days to Infect Windows and Android Devices | WIRED

Google researchers say the campaign, which booby-trapped sites to ensnare targets, was carried out by a “highly sophisticated actor.”
A computer with a skull inside the screen.
ILLUSTRATION: ELENA LACEY
GOOGLE RESEARCHERS HAVE detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.

ARS TECHNICA
This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers. (Both companies have since patched the security flaws.) The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The booby-trapped sites made use of two exploit servers, one for Windows users and the other for users of Android.

ADVERTISEMENT

The use of zero-day exploits and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code—which chained together multiple exploits in an efficient manner—the campaign demonstrates it was carried out by a “highly sophisticated actor.”

“These exploit chains are designed for efficiency and flexibility through their modularity,” a researcher with Google’s Project Zero research team wrote. “They are well engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains.”

The modularity of the payloads, the interchangeable exploit chains, and the logging, targeting, and maturity of the operation also set the campaign apart, the researcher said.

The four zero-days exploited were:

CVE-2020-6418—Chrome Vulnerability in TurboFan (fixed February 2020)
CVE-2020-0938—Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1020—Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1027—Windows CSRSS Vulnerability (fixed April 2020)
The attackers obtained remote code execution by exploiting the Chrome zero-day and several recently patched Chrome vulnerabilities. All of the zero-days were used against Windows users. None of the attack chains targeting Android devices exploited zero-days, but the Project Zero researchers said it’s likely the attackers had Android zero-days at their disposal.

In all, Project Zero published six installments detailing the exploits and post-exploit payloads the researchers found. Other parts outline a Chrome infinity bug, the Chrome exploits, the Android exploits, the post-Android exploitation payloads, and the Windows exploits.

The intention of the series is to assist the security community at large in more effectively combating complex malware operations. “We hope this blog post series provides others with an in-depth look at exploitation from a real-world, mature, and presumably well-resourced actor,” Project Zero researchers wrote.