Attackers obtained remote code execution by exploiting Zero days and Chrome vulnerabilities

Google researchers have detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android.

Google said that both exploit servers used Google Chrome vulnerabilities to gain an initial foothold on victim devices. Once an initial entry point was established in the user’s browsers, attackers deployed an OS-level exploit to gain more control of the victim’s devices.

The exploit chains included a combination of both zero-day and n-day vulnerabilities, where zero-day refers to bugs unknown to the software makers, and n-day refers to bugs that have been patched but are still being exploited in the wild.

All in all, Google said the exploit servers contained:

  • Four “renderer” bugs in Google Chrome, one of which was still a 0-day at the time of its discovery.
  • Two sandbox escape exploits abusing three 0-day vulnerabilities in the Windows OS.
  • And a “privilege escalation kit” composed of publicly known n-day exploits for older versions of the Android OS.

Google said that while they did not find any evidence of Android zero-day exploits hosted on the exploit servers, its security researchers believe that the threat actor most likely had access to Android zero-days as well, but most likely weren’t hosting them on the servers when its researchers discovered it.

The four zero-days exploited were:

CVE-2020-6418 Chrome Vulnerability in TurboFan (fixed February 2020)

CVE-2020-0938 — Font Vulnerability on Windows (fixed April 2020)

CVE-2020-1020—Font Vulnerability on Windows (fixed April 2020)

CVE-2020-1027—Windows CSRSS Vulnerability (fixed April 2020)

The attackers obtained remote code execution by exploiting the Chrome zero-day and several recently patched Chrome vulnerabilities. All of the zero-days were used against Windows users. None of the attack chains targeting Android devices exploited zero-days, but the Project Zero researchers said it’s likely the attackers had Android zero-days at their disposal.

In all, Project Zero published six installments detailing the exploits and post-exploit payloads the researchers found. Other parts outline a Chrome infinity bug, the Chrome exploits, the Android exploits, the post-Android exploitation payloads, and the Windows exploits.

The intention of the series is to assist the security community at large in more effectively combating complex malware operations. “We hope this blog post series provides others with an in-depth look at exploitation from a real-world, mature, and presumably well-resourced actor,” Project Zero researchers wrote.