Google published a report in six parts, detailing how a complex hacking operation detected in early 2020 worked. The campaign targeted Android and Windows devices. The attacks were executed using two exploit servers that targeted different exploit chains, deploying watering hole-style attacks.
One of Google’s security teams, Project Zero, said in the first of the six parts of the report, that one server targeted Microsoft Windows users and the other was aimed at Android.
The report says that both exploit servers used Chrome vulnerabilities to breach their target devices. When they carved out an initial entry point in the device browsers, they released an OS-level exploit that gave them more control.
The exploits followed a chain that included both n-day and zero-day vulnerabilities. Zero-day bugs are those unknown by the software’s makers, and n-day bugs have received patches, but are still seeing exploitation in the wild.
Google revealed that the exploit servers contained:
- Four ‘renderer’ bugs in Google Chrome. One of them was a 0-day at the time it was discovered.
- Two sandbox escape exploits, leveraging three 0-day flaws in Windows.
- A ‘privilege escalation kit’ containing known n-day exploits for older Android versions.
The four zero-days were patched in the spring of 2020.
The patched zero-days were tracked as CVE-2020-6418, CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027. The first was fixed in February and the rest in April. Google’s report says that they did not find evidence of Android 0-day exploits in the servers.
However, the researchers believe that there were Android zero-days in there as well.
By all indications, the exploit chains were designed to be efficient and flexible. They had impeccable engineering, complex code with a novel exploitation method, mature logging, anti-analysis, target checking and more.