



According to one of Google’s security teams, a mysterious hacking group has deployed at least 11 zero-day vulnerabilities as part of a persistent hacking operation during 2020, targeting Android, iOS and Windows users. I am targeting.

Attacks that occurred in two separate time frames in February and October 2020 each relied on seducing users of malicious sites to redirect victims to exploit servers.

These exploit servers contained a chain of vulnerabilities bound to the so-called exploit chain. Various bugs in the exploit chain allow an attacker to gain a first temporary foothold on a user’s device, escape the browser’s sandbox security container, and then elevate the privileges of the underlying OS to persist. I was able to gain a presence.

Attackers do not always rely solely on zero-days, but combine zero-days with older vulnerabilities that have already been patched.

Nonetheless, the threat actors behind the attacks have also demonstrated the ability to replace zero-day attacks on the fly when software vendors detect and patch them.

11 zero-days deployed in two different campaigns

Google’s Project Zero security team details both the February 2020 and October 2020 hacking campaigns in a January report and today’s second report.

The zero-days used in the February 2020 hacking campaign include:

CVE-2020-6418 – TurboFan Chrome Vulnerability (Fixed February 2020) CVE-2020-0938 – Windows Font Vulnerability (Fixed April 2020) CVE-2020-1020 – Windows Font Vulnerability (Fixed in April 2020) CVE-2020-1027 – Vulnerability in Windows CSR SS (Fixed in April 2020) ImageL Google Project Zero

The zero-days used in the campaign in late October 2020 include:

CVE-2020-15999 – Chrome Freetype Heap Buffer Overflow (Fixed October 2020) CVE-2020-17087 – Windows Heap Buffer Overflow in cng.sys (Fixed November 2020) CVE-2020-16009 – Non-TurboFan Map Chrome Type Confusion in Recommendations (Fixed November 2020) CVE-2020-16010 – Chrome for Android Heap Buffer Overflow (Fixed November 2020) CVE-2020-27930 – Read any stack of Safari via Type 1 font / Write (Fixed November 2020) CVE-2020-27950 – Memory Disclosure in iOSXNU Kernel Mach Message Trailer (Fixed November 2020) CVE-2020-27932 – iOS Kernel Type Confusion with Turntiles (November 2020) Image: Google Project Zero APT or Hacker for Higher company unknown

Google security experts have not officially attributed this campaign to any particular group. Also, all attribution options are still under consideration, including attacks by state-sponsored groups and private companies that hire hackers.

However, what is indisputable is that threat actors are highly functional and can discover and deploy zero-day attacks on a variety of platforms and software.

“This vulnerability covers a fairly wide range of issues, from the latest JIT vulnerabilities to large caches of font bugs. Overall, each exploit itself is an exploit development and exploited vulnerability. We have shown an expert understanding of sexuality, “said Maddie Stone, a member of the Google Project Zero team.

