A mysterious hacking group has deployed at least 11 zero-day vulnerabilities as part of a sustained hacking operation that took place over the course of 2020 and targeted Android, iOS, and Windows users alike, one of Google’s security teams said today.
The attacks, which took place across two separate time windows —in February and October 2020, respectively— relied on luring users on malicious sites that redirected victims to exploit servers.
These exploit servers contained chains of vulnerabilities bound together in so-called exploit chains. Different bugs in the exploit chain allowed the attackers to gain an initial temporary foothold on a user’s device, escape the browser’s sandbox security container, and then elevate privileges on the underlying OS to gain a permanent presence.
The attackers didn’t always rely on zero-days exclusively and also combined zero-days with older vulnerabilities that were already patched.
Nonetheless, the threat actor behind the attacks also showed the ability to replace zero-days on the fly once one was detected and patched by software vendors.
11 zero-days deployed across two different campaigns
The zero-days used in the February 2020 hacking campaign include the likes of:
The zero-days used in the latter October 2020 campaign include:
- CVE-2020-15999 – Chrome Freetype heap buffer overflow (fixed October 2020)
- CVE-2020-17087 – Windows heap buffer overflow in cng.sys (fixed November 2020)
- CVE-2020-16009 – Chrome type confusion in TurboFan map deprecation (fixed November 2020)
- CVE-2020-16010 – Chrome for Android heap buffer overflow (fixed November 2020)
- CVE-2020-27930 – Safari arbitrary stack read/write via Type 1 fonts (fixed November 2020)
- CVE-2020-27950 – iOS XNU kernel memory disclosure in mach message trailers (fixed November 2020)
- CVE-2020-27932 – iOS kernel type confusion with turnstiles (fixed November 2020)
Unclear if APT or hacker-for-hire firm
Google’s security experts have not yet formally attributed this campaign to any specific group, and all attribution options are still on the table — such as the attacks being the work of a state-sponsored group or a hacker-for-hire private company.
What is, however, undisputed is the fact that the threat actor has shown very advanced capabilities, allowing it to discover and deploy zero-days across a wide variety of platforms and software.
“The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited,” said Maddie Stone, a member of the Google Project Zero team.