According to the company, attacks took place through two exploit servers, which provided different exploit chains via watering hole attacks (attackers infect with malware the sites that a company uses the most).
The researchers said they used both exploit servers Google Chrome vulnerabilities to get the original access at Appliances of the victims. After the initial entry into the user's browsers, the attackers used an OS-level exploit to gain more control over the victims' devices.
The exploit chains included a combination zero-day (unknown vulnerabilities) and n-day (vulnerabilities for which there is a patch, but continue to exploit them hackers) vulnerabilities.
Google said the exploit servers contained:
- Four "Renderer" errors in Google Chrome (one of which was zero-day when it was discovered).
- Two sandbox escape exploits exploiting three zero-day vulnerabilities in the Windows operating system.
- And one "privilege escalation kit”Which consisted of well-known n-day exploits for older versions of Android.
Here are the four zero-days vulnerabilities used:
- CVE-2020-6418: Chrome Vulnerability in TurboFan (corrected in February 2020)
- CVE-2020-0938: Vulnerability in Windows (corrected in April 2020)
- CVE-2020-1020: Vulnerability in Windows (corrected in April 2020)
- CVE-2020-1027: Windows CSRSS Vulnerability (Fixed April 2020)
Google said the researchers did not find it data on the existence of Android zero-day exploits hosted on exploit servers. However, he believes the attackers probably also had access to Android zero-days, but were probably not hosted there when the campaign was discovered.
Google: Exploit chains were sophisticated and well designed
Google described exploit chains as “designed for efficiency and flexibility".
"It is well designed, complex code with a variety of innovative exploitation methods, sophisticated and calculated post-exploitation techniques and large numbers of controls to be detected", Said Google.
Google also published reports detailing a "infinity bug ”by Chrome used in the attacks, the Chrome exploit chains, The Android exploit chains, post-exploitation steps on Android devices and Windows exploit chains.