Watering Hole Operation Leveraged Zero-Day ExploitsGoogle Project Zero Offers Analysis of Hacking Campaign
Google's Project Zero security team is describing its discovery last year of a complex "watering hole" operation that used four zero-day exploits to target Windows and Android mobile devices.
The attack was discovered and stopped in the first quarter of 2020, but the Project Zero team, along with Google Threat Analysis Group, did not disclose details until now because it took months to analyze the complex operation.
The threat actors behind the campaign used two exploit servers - one targeting Android devices and the other Windows devices - that each utilized separate attacks chains, Google reports.
The exploit chains were "well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques and high volumes of anti-analysis and targeting checks,” Project Zero notes. "We believe that teams of experts have designed and developed these exploit chains."
After the researchers discovered the two exploit servers, they uncovered a wealth of information about the attackers, including their exploitation of four flaws in Google Chrome, including one zero-day exploit, as well as three zero-day exploits in Windows.
The four zero-day vulnerabilities are:
- CVE-2020-6418: This vulnerability in Chrome's TurboFan feature, if exploited, enabled a remote attacker to abuse a heap corruption through a crafted HTML page.
- CVE-2020-0938: This remote code execution vulnerability enabled an attacker to target certain versions of Windows by taking advantage of a flaw in the Adobe Type Manager Library.
- CVE-2020-1020: This remote code vulnerability in Windows is related to a flaw in the Adobe Type Manager Library.
- CVE-2020-1027: This elevation of privilege flaw is found in certain versions of Windows.
The zero-day vulnerability in Chrome was patched in February 2020, while the three Windows flaws were fixed in April, according to the report.
The Google report notes that the researchers discovered a "privilege escalation kit" designed to take advantage of unpatched vulnerabilities in older versions of Android, but it says it found no evidence the attackers exploited Android vulnerabilities.
The Google researchers determined that the attackers likely infected with malware certain websites that victims frequented. That malware would exploit a flaw in Chrome to gain a foothold within the victim's browser.
From there, the threat actors exploited one of the four zero-day flaws, enabling them to gain further control over the operating system and the device, according to the report.
"In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end user's device, before deciding whether or not to continue with further exploitation and use a sandbox escape," according to the report. "In other cases, the attackers would choose to fully exploit a system straight away - or not attempt any exploitation at all."
Hank Schless, senior manager of security solutions at mobile security firm Lookout, says watering holes, frequently used to lure targets to malicious websites, can open the door to phishing the victim for login credentials.
"Once the target visits the malicious site, the attacker can phish the victim for login credentials, deliver a malicious app, or exploit a vulnerability in the web browser to gain access to the administrative privileges on the device itself," he says. “This attack chain is viable for targeting both mobile and desktop users, but has a greater chance of success on mobile devices because of their smaller screens and simplified user experience."