Google researchers have outlined a major hacking campaign that was discovered in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against Windows & Android platforms.
‘Watering-hole’ attacks executed by ‘experts’ exploited Chrome, Windows & Android flaws & were carried out on 2 servers.
Working together, researchers from Google Project Zero & the Google Threat Analysis Group (TAG) uncovered the attacks, which were “performed by a highly sophisticated actor,” Ryan from Project Zero wrote in the 1st of a 6-part blog series on their research.
“We discovered 2 exploit servers delivering different exploit chains via watering-hole attacks,” he wrote. “One server targeted Windows users, the other targeted Android.”
‘Watering-hole’ attacks target organisations’ often-used websites & deliver malware, infecting & obtaining access to victims’ machines when users visit the infected sites.
In the case of the attacks that Google researchers found, attackers executed the malicious code remotely on both the Windows & Android servers using Chrome exploits.
The exploits used against Windows included zero-day flaws, while Android users were targeted with exploit chains using known “n-day” exploits, though they acknowledge it’s possible zero-day vulnerabilities could also have been used, researchers observed.
The team spent many months analysing the attacks, including examining what happened post-exploitation on Android devices. In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes & a list of installed applications for the phone.
The researchers posted root-cause analyses for each of the 4 Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.
The 2nd, CVE-2020-0938, is a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted Blend Design Positions object. In the attacks, it was chained with CVE-2020-1020, another Windows Font Driver flaw, this time in the processing of the VToHOrigin PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.
“On Windows 8.1 & earlier versions, the vulnerability was chained with CVE-2020-1020 (a write-what-where condition) to first set up a 2nd stage payload in RWX kernel memory at a known address, & then jump to it through this bug,” according to Google. “The exploitation process was straightforward because of the simplicity of the issue & high degree of control over the kernel stack. The bug was not exploited on Windows 10.”
Finally, CVE-2020-1027 is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all 4 vulnerabilities.
“This vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (CVE-2020-6418). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (CVE-2020-1020 and CVE-2020-0938).”
All have all since been patched.
Researchers suggested that threat players were operating a “complex targeting infrastructure,” though, they did not use it every time.
“In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,” according to researchers. “In these cases, the attacker took a slower approach: sending back dozens of parameters from the end user’s device, before deciding whether or not to continue with further exploitation & use a sandbox escape.”
Other attack situations revealed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. “In the time we had available before the servers were taken down, we were unable to determine what parameters determined the ‘fast’ or ‘slow’ exploitation paths,” observed the post.
Whoever was behind the attacks designed the exploit chains to be used modularly for efficiency & flexibility, showing clear proof that they are experts, researchers explained.
“They use well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, & high volumes of anti-analysis & targeting checks,” stated the post.