Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove
Watering-hole attacks executed by ‘experts’ exploited Chrome, Windows and Android flaws and were carried out on two servers.
<div class="c-article__content js-reading-content"> <p>Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against <a href="https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/" target="_blank" rel="noopener noreferrer">Windows</a> and <a href="https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/" target="_blank" rel="noopener noreferrer">Android</a> platforms.</p> <p>Working together, researchers from <a href="https://threatpost.com/2-zero-day-bugs-google-chrome/161160/" target="_blank" rel="noopener noreferrer">Google Project Zero</a> and the <a href="https://blog.google/threat-analysis-group/" target="_blank" rel="noopener noreferrer">Google Threat Analysis Group (TAG)</a> uncovered the attacks, which were “performed by a highly sophisticated actor,” Ryan from Project Zero wrote in the <a href="https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html" target="_blank" rel="noopener noreferrer">first</a> of a six-part blog series on their research.</p> <p>“We discovered two exploit servers delivering different exploit chains via watering-hole attacks,” he wrote. “One server targeted Windows users, the other targeted Android.”</p> <p><a href="https://threatpost.com/2020-reader-survey/161168/" target="_blank" rel="noopener noreferrer"><img loading="lazy" class="aligncenter wp-image-162449 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/18164737/Reader-Survey-Update.jpg" alt="2020 Reader Survey: Share Your Feedback to Help Us Improve" width="700" height="69"></a></p> <p>Watering-hole attacks target organizations’ oft-used websites and inject them with malware, infecting and gaining access to victims’ machines when users visit the infected sites.</p> <p>In the case of the attacks that Google researchers uncovered, attackers executed the malicious code remotely on both the Windows and Android servers using Chrome exploits. The exploits used against Windows included <a href="https://threatpost.com/apple-patches-bugs-zero-days/161010/" target="_blank" rel="noopener noreferrer">zero-day</a> flaws, while Android users were targeted with exploit chains using known “n-day” exploits, though they acknowledge it’s possible zero-day vulnerabilities could also have been used, researchers said.</p> <p>The team spent months analyzing the attacks, including examining what happened <a href="https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html" target="_blank" rel="noopener noreferrer">post-exploitation on Android devices.</a> In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.</p> <h2>Zero-Day Bugs</h2> <p>The researchers posted <a href="https://googleprojectzero.blogspot.com/p/rca.html" target="_blank" rel="noopener noreferrer">root-cause analyses </a>for each of the four Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.</p> <p>The first, <a href="https://googleprojectzero.blogspot.com/p/cve-2020-6418-chrome-incorrect-side.html" target="_blank" rel="noopener noreferrer">CVE-2020-6418</a>, is a type confusion bug prior to 80.0.3987.122 leading to remote-code execution. It exists in V8 in Google Chrome (Turbofan), which is the component used for processing JavaScript code. It allows a remote attacker to potentially cause heap corruption via a crafted HTML page.</p> <p>The second, <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0938" target="_blank" rel="noopener noreferrer">CVE-2020-0938</a>, is a a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted <span class="c6">BlendDesignPositions</span> object. In the attacks, it was chained with <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1020" target="_blank" rel="noopener noreferrer">CVE-2020-1020,</a> another Windows Font Driver flaw, this time in the processing of the <span class="c10">VToHOrigin</span> PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.</p> <p>“On Windows 8.1 and earlier versions, the vulnerability was chained with <span class="c5"><a class="c21" href="https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1020">CVE-2020-1020</a></span><span class="c13"> (a write-what-where condition) to first set up a second stage payload in RWX kernel memory at a known address, and then jump to it through this bug,” according to Google. “The exploitation process was straightforward because of the simplicity of the issue and high degree of control over the kernel stack. The bug was not exploited on Windows 10.”</span></p> <p>And finally, <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1027" target="_blank" rel="noopener noreferrer">CVE-2020-1027</a> is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all four vulnerabilities.</p> <p>“<span class="c2">This vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (</span><span class="c0">CVE-2020-6418</span><span class="c2">). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (</span><span class="c0">CVE-2020-1020</span><span class="c2"> and </span><span class="c0">CVE-2020-0938</span><span class="c2 c6 c12">).”</span></p> <p>All have all since been patched.</p> <h2>Advanced Capabilities</h2> <p>From their understanding of the attacks, researchers said that threat actors were operating a “complex targeting infrastructure,” though, curiously, they didn’t use it every time.</p> <p>“In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,” according to researchers. “In these cases, the attacker took a slower approach: sending back dozens of parameters from the end user’s device, before deciding whether or not to continue with further exploitation and use a sandbox escape.”</p> <p>Still other attack scenarios showed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. “In the time we had available before the servers were taken down, we were unable to determine what parameters determined the ‘fast’ or ‘slow’ exploitation paths,” according to the post.</p> <p>Overall, whoever was behind the attacks designed the exploit chains to be used modularly for efficiency and flexibility, showing clear evidence that they are experts in what they do, researchers said.</p> <p>“They [use] well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,” according to the post.</p> <p><strong>Supply-Chain Security: A 10-Point Audit Webinar:</strong> <em>Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a <a href="https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar" target="_blank" rel="noopener noreferrer">limited-engagement and LIVE Threatpost webinar</a>. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: <strong><a href="https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar" target="_blank" rel="noopener noreferrer">Register Now</a></strong> and reserve a spot for this exclusive Threatpost <a href="https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar" target="_blank" rel="noopener noreferrer">Supply-Chain Security webinar</a> – Jan. 20, 2 p.m. ET.</em></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove" data-url="https://threatpost.com/hacks-android-windows-zero-day/163007/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/malware-2/">Malware</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/vulnerabilities/">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>
