“Expert” hackers used 11 0-days to infect Windows, iOS, and Android users

A team of advanced hackers exploited no fewer than 11 zero-day vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.

Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zero-days in February 2020. The hackers’ ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google’s Project Zero and Threat Analysis Group to call the group “highly sophisticated.”

Not over yet

On Thursday, Project Zero researcher Maddie Stone said that, in the eight months that followed the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided in iOS. As was the case in February, the hackers delivered the exploits through watering-hole attacks, which compromise websites frequented by targets of interest and add code that installs malware on visitors’ devices.

In all the attacks, the watering-hole sites redirected visitors to a sprawling infrastructure that installed different exploits depending on the devices and browsers visitors were using. Whereas the two servers used in February exploited only Windows and Android devices, the later attacks also exploited devices running iOS. Below is a diagram of how it worked:

The ability to pierce advanced defenses built into well-fortified OSes and apps that were fully patched—for example, Chrome running on Windows 10 and Safari running on iOS—was one testament to the group’s skill. Another testament was the group’s abundance of zero-days. After Google patched a code-execution vulnerability the attackers had been exploiting in the Chrome renderer in February, the hackers quickly added a new code-execution exploit for the Chrome V8 engine.

In a blog post published Thursday, Stone wrote:

The vulnerabilities cover a fairly broad spectrum of issues—from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out.

In all, Google researchers gathered:

• One full chain targeting fully patched Windows 10 using Google Chrome
• Two partial chains targeting two different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser, and
• RCE exploits for iOS 11-13 and privilege escalation exploit for iOS 13

The seven zero-days were:

• CVE-2020-15999 - Chrome Freetype heap buffer overflow
• CVE-2020-17087 - Windows heap buffer overflow in cng.sys
• CVE-2020-16009 - Chrome type confusion in TurboFan map deprecation
• CVE-2020-16010 - Chrome for Android heap buffer overflow
• CVE-2020-27930 - Safari arbitrary stack read/write via Type 1 fonts
• CVE-2020-27950 - iOS XNU kernel memory disclosure in mach message trailers
• CVE-2020-27932 - iOS kernel type confusion with turnstiles

Piercing defenses

The complex chain of exploits is required to break through layers of defenses that are built into modern OSes and apps. Typically, the series of exploits are needed to exploit code on a targeted device, have that code break out of a browser security sandbox, and elevate privileges so the code can access sensitive parts of the OS.

Thursday’s post offered no details on the group responsible for the attacks. It would be especially interesting to know if the hackers are part of a group that’s already known to researchers or if it’s a previously unseen team. Also useful would be information about the people who were targeted.

The importance of keeping apps and OSes up to date and avoiding suspicious websites still stands. Unfortunately, neither of those things would have helped the victims hacked by this unknown group.