During the campaign, attackers exploited both known vulnerabilities and zero-day vulnerabilities.
Google released a six-part report on a sophisticated cybercriminal operation targeting Android and Windows users that was discovered by Google early last year.
As reported in the first part of the report, the attacks were carried out from two servers that delivered different bundles of exploits to the attacked systems using the watering hole technique. One server was used to attack Windows users and the other was used to attack Android users.
As a point of entry into the attacked system, both servers exploited vulnerabilities in Google Chrome, and then the attackers deployed a system-level exploit to gain more control over the victim's device.
The exploit bundle included both known vulnerabilities and zero-day vulnerabilities. In particular, the attackers exploited four vulnerabilities in Google Chrome, one of which was a zero-day vulnerability at the time of discovery, two exploits to bypass the sandbox using three zero-day vulnerabilities, and a “privilege escalation suite”, which includes known vulnerabilities in older versions. Android.
Exploited by hackers and patched in spring 2020, zero-day vulnerabilities in Google Chrome:
CVE-2020-6418 - vulnerability in the TurboFan optimizing compiler (fixed in February 2020);
CVE-2020-0938 - Vulnerability in Adobe Type Manager Library in Microsoft Windows (fixed in April 2020);
CVE-2020-1020 - Vulnerability in Adobe Type Manager Library in Microsoft Windows (fixed in April 2020);
CVE-2020-1027 - Windows privilege escalation vulnerability (fixed in April 2020).
Overall, Google experts described the exploit bundle as "efficient and flexible due to its modularity."
“It is well-designed, complex code with many new exploitation methods, sophisticated logging, sophisticated and calculated post-exploitation methods, and a large amount of anti-analytical and anti-target checks,” the report says.
Watering hole is a cyber attack strategy in which an attacker guesses or observes which websites the victim frequently visits and infects one or more of them with malware.