A mysterious hacking group has deployed at least 11 zero-day vulnerabilities as part of a sustained hacking operation that took place over the course of 2020 and targeted Android, iOS, and Windows users alike, one of Google’s security teams said today.

The attacks, which took place across two separate time windows —in February and October 2020, respectively— relied on luring users on malicious sites that redirected victims to exploit servers.

These exploit servers contained chains of vulnerabilities bound together in so-called exploit chains. Different bugs in the exploit chain allowed the attackers to gain an initial temporary foothold on a user’s device, escape the browser’s sandbox security container, and then elevate privileges on the underlying OS to gain a permanent presence.

The attackers didn’t always rely on zero-days exclusively and also combined zero-days with older vulnerabilities that were already patched.

Nonetheless, the threat actor behind the attacks also showed the ability to replace zero-days on the fly once one was detected and patched by software vendors.

11 zero-days deployed across two different campaigns

Google’s Project Zero security team has detailed both the February 2020 and the October 2020 hacking campaigns in a report published in January and a second one today.

The zero-days used in the February 2020 hacking campaign include the likes of:

  • CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed February 2020)
  • CVE-2020-0938 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1020 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1027 – Windows CSRSS Vulnerability (fixed April 2020)
Hacking-campaign-1
ImageL Google Project Zero

The zero-days used in the latter October 2020 campaign include:

  • CVE-2020-15999 – Chrome Freetype heap buffer overflow (fixed October 2020)
  • CVE-2020-17087 – Windows heap buffer overflow in cng.sys (fixed November 2020)
  • CVE-2020-16009 – Chrome type confusion in TurboFan map deprecation (fixed November 2020)
  • CVE-2020-16010 – Chrome for Android heap buffer overflow (fixed November 2020)
  • CVE-2020-27930 – Safari arbitrary stack read/write via Type 1 fonts (fixed November 2020)
  • CVE-2020-27950 – iOS XNU kernel memory disclosure in mach message trailers (fixed November 2020)
  • CVE-2020-27932 – iOS kernel type confusion with turnstiles (fixed November 2020)
Hacking-campaign-2
Image: Google Project Zero

Unclear if APT or hacker-for-hire firm

Google’s security experts have not yet formally attributed this campaign to any specific group, and all attribution options are still on the table — such as the attacks being the work of a state-sponsored group or a hacker-for-hire private company.

What is, however, undisputed is the fact that the threat actor has shown very advanced capabilities, allowing it to discover and deploy zero-days across a wide variety of platforms and software.

“The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited,” said Maddie Stone, a member of the Google Project Zero team.


administrator

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Freelance writer