Security Experts:

Google: Sophisticated APT Group Burned 11 Zero-Days in Mass Spying Operation

Google has added new details on a pair of exploit servers used by a sophisticated threat actor to hit users of Windows, iOS and Android devices.

Malware hunters at Google continue to call attention to a sophisticated APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and devices.

The group has actively used “watering hole” attacks to redirect specific targets to a pair of exploit servers delivering malware on Windows, iOS and Android devices.

The cross-platform capabilities and the willingness to use almost a dozen zero-days in less than a year signals a well-resourced actor with the ability to access hacking tools and exploits from related teams.

In a new blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains discovered in the wild last October and warned that the latest discovery is tied to a February 2020 campaign that included the use of multiple zero-days.

According to Stone, the actor from the February 2020 campaign went dark for a few months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. 

In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained.

The first exploit server initially responded only to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google’s researchers started retrieving the hacking tools.  This server included exploits for a remote code execution bug in the Google Chrome rendering engine and a v8 zero-day after the initial bug was patched.  

Stone said the first server briefly responded to Android user-agents, suggesting exploits existed for all the major platforms.

Google also flagged a second exploit server that responded to Android user-agents and remained alive for at least 36 hours. This server contained malware cocktails exploiting zero-days in the Chrome and Samsung browsers on Android devices. 

Interestingly, Stone noted that the attackers used a unique obfuscation and anti-analysis check on iOS devices where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn't be recovered from the packet dump alone, instead requiring an active MITM on our side to rewrite the exploit on-the-fly.”

Stone also noted signs that multiple entities may be sharing tools and exploits in these campaigns.  

“Both exploit servers used the Chrome Freetype RCE (CVE-2020-15999) as the renderer exploit for Windows (exploit server #1) and Android (exploit server #2), but the code that surrounded these exploits was quite different. The fact that the two servers went down at different times also lends us to believe that there were two distinct operators,” Stone added.

In all, Stone and the Google Project Zero team snagged one full exploit chain hitting Chrome on Windows, two partial exploit chains targeting fully patched Android devices running Chrome and the Samsung Browser; and remote code-execution exploits for iOS 11 and iOS 13.

Stone’s analysis also show the APT group is prolific with the types of vulnerabilities used in exploit chains. “The vulnerabilities cover a fairly broad spectrum of issues - from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited,” she explained.

“In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out,” she added. 

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.