Google experts exposed sophisticated hacking campaign against Windows and Android users

Google exposed hacking campaign

Google published a large report detailing how they exposed a sophisticated hacking campaign that was discovered back in early 2020. The campaign targeted Android and Windows users, and attackers exploited for attacks four zero-day vulnerabilities.

The researchers say the attacks they discovered were carried out from two exploit servers (one for Android, the other for Windows) and used a watering hole technique.

Such attacks got their names due to the analogy with the tactics of predators that hunt at a watering hole, waiting for prey – animals that have come to drink. This term refers to attacks in which cybercriminals inject malicious code onto legitimate sites that redirects visitors, where the hackers want them.say Google researchers.

Both servers exploited vulnerabilities in Google Chrome to gain a foothold on victims’ devices. Next, the attackers deployed the exploit at the OS level in order to gain more control over the infected device.

Google exposed hacker campaign
Overall scheme of the attack

The attacker’s exploit chains presented combinations of zero-day vulnerabilities, as well as other recent issues that the developers have already fixed. So, four errors in Google Chrome were related to the renderer, and one of them at the time of detection was 0-day. In Windows, hackers exploited two zero-day vulnerabilities that allowed them to escape the sandbox.

In addition, the attackers had a “privilege escalation suite” of well-known exploits for known vulnerabilities in Android. At the same time, experts note that the hackers supposedly used 0-day vulnerabilities in Android, they simply did not store exploits for them on the discovered server.

The four above mentioned 0-day bugs are:

  • CVE-2020-6418 — Chrome vulnerability in TurboFan (fixed in February 2020);
  • CVE-2020-0938 — Windows font vulnerability (fixed in April 2020);
  • CVE-2020-1020 — Windows font vulnerability (fixed in April 2020);
  • CVE-2020-1027 — Windows CSRSS vulnerability (fixed in April 2020).

Attackers’ exploit chains are described by experts as tools “designed to be more efficient and flexible through their modularity”.

This is well-designed, complex code with many new exploitation methods, serious logging, complex and calculated post-exploitation methods, and a lot of anti-analytical and targeted checks. We believe these exploit chains were designed and developed by teams of experts.the report says.

Unfortunately, Google has not yet released any details about the attackers themselves or the victims they targeted.

By the way, as we reported, Gridinsoft becomes Google’s information security partner.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *