Hacking group using 11 zero-day vulnerabilities in attacks targeting Windows-iOS-Android users

The Google Project Zero team discovered a group of hackers who used 11 zero-days within a year in attacks targeting Windows, iOS, and Android users. The hacking group behind the attack launched two separate campaigns in February and October 2020, the briefing computer reported.

Reportedly, this month's report explains how the previous zero-day, released in January, was used with n-day exploits to hack potential targets, and then shows the use of seven zero-days since.

As before, attackers used dozens of websites hosting two exploit servers, each targeting Windows and iOS or Android users.

A member of the Project Zero team said, “In our tests, both exploit servers existed in every domain we found. "After initial fingerprinting (which appears to be based on the IP address and the source of the user agent), an iframe was inserted into a website pointing to one of the two exploit servers."

In the course of analyzing the attack campaign in October 2020, Google discovered:

• One complete exploit targeting Windows 10 fully patched using Google Chrome
• Two partial chain targeting two fully patched Android devices running Android 10 using Google Chrome and Samsung browsers
• Multiple RCE exploits for iOS 11~13 and privilege elevation exploits for iOS 13 (exploited bugs exist up to iOS 14.1 version)

When combined with the operations in early 2020, it was analyzed that the attacking group used at least 11 zero-days within a year.

The 11 zero-days used to build the exploit chain in last year's attack are:

• CVE-2020-6418-Chrome Vulnerability in TurboFan (February 2020)
• CVE-2020-0938-Font Vulnerability on Windows (February 2020)
• CVE-2020-1020-Font Vulnerability on Windows (February 2020)
• CVE-2020-1027-Windows CSRSS Vulnerability (February 2020)
• CVE-2020-15999-Chrome Freetype heap buffer overflow (October 2020)
• CVE-2020-17087-Windows heap buffer overflow in cng.sys (October 2020)
• CVE-2020-16009-Chrome type confusion in TurboFan map deprecation (October 2020)
• CVE-2020-16010-Chrome for Android heap buffer overflow (October 2020)
• CVE-2020-27930-Safari arbitrary stack read/write via Type 1 fonts (October 2020)
• CVE-2020-27950-iOS XNU kernel memory disclosure in mach message trailers (October 2020)
• CVE-2020-27932-iOS kernel type confusion with turnstiles (October 2020)

Each discovered exploit shows an expert level of understanding of exploited vulnerabilities and exploits development.

In the case of Chrome Zero Day (CVE-2020-15999), the exploit method used by this hacking group was also new to the Google Project Zero team.

“Apart from exploits, the modularity of payloads, interchangeable exploit chains, logging, targeting, and the maturity of the attacker's work are distinguishing features of these groups,” said Project Zero Team researcher. The process of figuring out how to trigger an iOS kernel privilege vulnerability was complex. The obfuscation method was also varied and it took a lot of time to figure it out.