A particularly threatening group of hackers took advantage of 11 zero-days in the past year, i.e., security gaps that were not known at the time and therefore not patched. The operating systems Windows, Android, and iOS were affected.
The attacks were discovered by Google’s Project Zero and Threat Analysis Group, which had already published information about the individual security vulnerabilities.
In a blog entry, security researcher Maddie Stone, who works at Project Zero, now goes into the background of the security holes that have already been patched.
Accordingly, Google discovered the first four, already actively used zero-days in February 2020. In October 2020, Google again noticed attacks by the same group, which this time used a total of seven zero days. Several zero-days were combined in order to take over a device via the browser to the operating system. This so-called chaining of security holes is not uncommon.
Such a chain was aimed at a fully patched Windows 10 with an up-to-date Chrome browser. Two sub-chains were aimed at fully patched Android 10 devices using the Samsung browser or Chrome.
In addition, the hacker group had Remote Code Execution Exploits (RCE) for iOS 11 to 13, as well as a vulnerability for rights expansion under iOS 13 in their repertoire. The weaknesses were only fixed with iOS 14.1.
However, Stone notes that only iOS, Android, and Windows were tested when the exploit servers were still online. Accordingly, there could have been other chains of exploits.
The exploits were therefore placed on websites in the vicinity of the victims using so-called watering hole attacks. The victims were recognized by the IP address and the user agent. If this fingerprinting was positive, an iframe was injected into the website that pointed to the exploit server. This ultimately took over the victims’ devices.
“The vulnerabilities cover a fairly wide range of problems – from a modern JIT vulnerability to multiple font errors,” writes Stone. Each exploit has shown expertise in exploit development and the exploited chess point itself.
In the case of Freetype Zero Day in Chrome, the exploit method for Google’s Project Zero was new. In addition, the obfuscation methods were varied and time-consuming to analyze, explains Stone.
First four Zero Days (February 2020):
- CVE-2020-6418 – Chrome Vulnerability in Turbofan
- CVE-2020-0938 – Font Vulnerability in Windows
- CVE-2020-1020 – Font Vulnerability in Windows
- CVE-2020-1027 – Windows CSRSS vulnerability
Another seven zero days (October 2020):
- CVE-2020-15999 – Heap buffer overflow in Chrome Freetype
- CVE-2020-17087 – Windows heap buffer overflow in CNG.sys
- CVE-2020-16009 – Chrome-Type-Confusion in Turbofan- Map-Deprecation
- CVE-2020-16010 – Heap buffer overflow in Chrome for Android
- CVE-2020-27930 – Safari: Any reading/writing of the stack via type 1 fonts
- CVE-2020-27950 – iOS XNU kernel memory disclosure in Mach -Message-Trailers
- CVE-2020-27932 – iOS-Kernel-Type-Confusion with Turnstiles