Google researchers have detailed a complex hacking process that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the exploits were endless, which means they targeted vulnerabilities that were unknown at the time to Google, Microsoft and most outside researchers (the two companies have since patched the vulnerabilities). Hackers have delivered the vulnerabilities through waterhole attacks, which threaten sites frequented by targeted people and overwhelm sites with codes that install malware on visitors’ devices. Booby-trapped sites used two servers, one for Windows users, the other for Android users.
You don’t have regular hackers
The use of complex infrastructure in itself is not a sign of sophistication, but it shows above average skill by a professional team of hackers. Combined with the power of the attack symbol – which has effectively tied many exploits together – the campaign makes clear that it was carried out by a “highly sophisticated actor”.
“These exploit strings are designed for efficiency and flexibility through their modularity,” a researcher at the Google Project Zero Explit research team Wrote. “They are complex, well-designed codecs with a variety of new exploitation methods, mature logging, complex and computable post-exploitation techniques, and large amounts of validation and targeting. We believe teams of experts have designed and developed these exploit chains.”
The researcher said that the typicality of payloads and chains of exploiting interchangeable vulnerabilities and recording the process, targeting and maturity characterize the campaign.
The four days zero exploited are:
The attackers obtained remote code execution by exploiting Chrome Zero-Day and several recently patched Chrome vulnerabilities. All zero days have been used against Windows users. None of the attack chains targeting Android devices took advantage of the zero days, but Project Zero researchers said it is possible that attackers have Android zero days at their disposal.
The chart below provides a visual overview of the campaign that occurred in the first quarter of last year:
In all, Project Zero has published six installments detailing the exploits and post-exploit payloads researchers have found. Other parts outline a Chrome Infinity Bug, The Exploits of chrome, The Android Exploits, The Post-Android exploit payloads, And the Windows exploits.
The series aims to help the security community at large fight complex malware operations more effectively. “We hope this blog post series will provide others with an in-depth look at exploitation from a real, mature and supposedly well-resourced actor,” Project Zero researchers wrote.