Google says sophisticated hacking operation targeted Android and Windows users in 2020
Share this article:
Cape Town - A highly sophisticated hacking operation targeted owners of Android and Windows devices in the first months of 2020, Google has revealed in a six-part report.
This operation was carried out via "watering hole" attacks. A watering hole attack is where an attacker observes which websites people often use and infects one - or more of them - with malware.
According to one of Google's top security teams called Project Zero, one server targeted Windows users and the other targeted Android.
"We discovered two exploit servers delivering different exploit chains via watering hole attacks," Google said in an update on Tuesday.
"Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days".
Google said that both exploit servers used Google Chrome vulnerabilities to gain initial access to victim devices. Once initial entry point was established in the user's browsers, attackers deployed an OS-level exploit to gain more control of the victim's devices.
These exploit chains included a combination of both zero-day and n-day vulnerabilities. Zero-day refers to bugs that are currently unknown to the software makers and n-day refers to bugs that have been patched but are still being exploited in the wild.
Google said the exploit servers contained:
– Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.
– Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.
– A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.
The four zero-days, all of which were patched in 2020, were as follows:
CVE-2020-6418 - Chrome Vulnerability in TurboFan (fixed February 2020)
CVE-2020-0938 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1020 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1027 - Windows CSRSS Vulnerability (fixed April 2020)
Google said that they did not find any evidence of Android zero-day exploits hosted on the exploit servers, but the security researchers believe that the threat actor most likely had access to Android zero-days as well.
Google said the exploit chains are “well-engineered”, has a complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks.
Google has also published reports detailing a Chrome "infinity bug" used in the attacks, the Chrome exploit chains, the Android exploit chains, post-exploitation steps on Android devices, and the Windows exploit chains.