Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Hacking group used 11 zero-days to attack Windows, iOS, Android users

Project Zero, Google’s zero-day bug-hunting team, discovered a group of hackers that used 11 zero-days in attacks targeting Windows, iOS, and Android users within a single year.

The Project Zero team revealed that the hacking group behind these attacks ran two separate campaigns, in February and October 2020.

This month’s report showcases the use of seven zero-days after a previous one published in January showed how four zero-days were used together with n-day exploits to hack potential targets.

Just as before, the attackers used a couple of dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.

“In our testing, both of the exploit servers existed on all of the discovered domains,” Project Zero team member Maddie Stone said.

“After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers.”

Attack flow
Attack flow (Project Zero)

All in all, while analyzing the October 2020 campaign, the Project Zero researchers found:

  • one full exploit chain targeting fully patched Windows 10 using Google Chrome
  • two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
  • several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)

“When combined with their earlier 2020 operation, the actor used at least 11 0-days in less than a year,” Stone added.

The 11 zero-days used to build the exploit chains during last year attacks include:

  • CVE-2020-6418 – Chrome Vulnerability in TurboFan (February 2020)
  • CVE-2020-0938 – Font Vulnerability on Windows (February 2020)
  • CVE-2020-1020 – Font Vulnerability on Windows (February 2020)
  • CVE-2020-1027 – Windows CSRSS Vulnerability (February 2020)
  • CVE-2020-15999 – Chrome Freetype heap buffer overflow (October 2020)
  • CVE-2020-17087 – Windows heap buffer overflow in cng.sys (October 2020)
  • CVE-2020-16009 – Chrome type confusion in TurboFan map deprecation (October 2020)
  • CVE-2020-16010 – Chrome for Android heap buffer overflow (October 2020)
  • CVE-2020-27930 – Safari arbitrary stack read/write via Type 1 fonts (October 2020)
  • CVE-2020-27950 – iOS XNU kernel memory disclosure in mach message trailers (October 2020)
  • CVE-2020-27932 – iOS kernel type confusion with turnstiles (October 2020)

Each of the discovered exploits revealed an expert understanding of the vulnerability being exploited and exploit development.

Additionally, in the case of the Chrome Freetype zero-day, the exploitation method used by this hacking group was new to Project Zero.

“Exploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting, and maturity of this actor’s operation set these apart,” Project Zero added.

“The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out.”

Source: https://www.bleepingcomputer.com/news/security/hacking-group-used-11-zero-days-to-attack-windows-ios-android-users/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Spywares are software that is used as a surveillance application to collect sensitive information from victims and send it to the person who installed the application....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

DoNot APT Hackers Deploy Android Malware Apps on Google Play, Under the account name “SecurITY Industry,” the CYFIRMA team successfully identified dubious Android apps...

Cyber Security

Recently, Google released an emergency security update to fix another Chrome zero-day vulnerability actively exploited in the wild. This zero-day flaw has been tracked...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO