Google reveals sophisticated Windows and Android hacking operation

Google today released a six-part report detailing a sophisticated hacking operation the company detected in early 2020 that targeted owners of Android and Windows devices.

The attacks were carried out through two operating servers providing different chains of exploitation via water point attacks, Google said.

Also: Best VPNs

“One server targeted Windows users, the other targeted Android,” Project Zero, one of Google’s security teams, said in the first of six blog posts.

Google said the two operating servers used vulnerabilities in Google Chrome to gain a foothold on victim devices initially. Once an initial point of entry was established in user’s browsers, attackers deployed an operating system-level exploit to gain more control over the victim’s devices.

The exploit chains included a combination of zero-day and n-day vulnerabilities, where zero-day refers to bugs unknown to software manufacturers, and n-day refers to bugs that have been fixed but still remain. exploited in nature.

Overall, Google said the operating servers contained:

• Four “render” bugs in Google Chrome, one of which was still 0 days old when discovered.
• Two sandbox escape exploits abusing three day 0 vulnerabilities in the Windows operating system.
• And a “privilege escalation kit” of publicly known n-day exploits for older versions of the Android operating system.

The four zero days, which were all corrected in spring 2020, were as follows:

Google said that while they found no evidence of Android zero-day exploits hosted on exploit servers, its security researchers believe the threat actor likely had access to Android zero-day as well. , but probably did not host them. on the servers when its researchers discovered it.

Google: exploit chains were complex and well designed

Overall, Google described exploit chains as “designed for efficiency and flexibility through their modularity.”

“This is a well-designed complex code with a variety of innovative logging methods, mature logging, sophisticated and calculated post-logging techniques, and high volumes of anti-scan and targeting checks.” Google said.

“We believe teams of experts designed and developed these exploit chains,” but Google declined to provide further details on the attackers or the type of victims they were targeting.

(I mean, TBH, you can probably make a pretty smart guess as to who would do that. You can probably count the number of actors in the world who would go out of their way to use all of these aspects of professionalism with one hand. With fingers left over.)

– Brian in Pittsburgh (@arekfurt) January 12, 2021

Along with its introductory blog post, Google also published reports detailing an “infinite bug” of Chrome being used in attacks, Chrome exploit chains, Android exploit chains, post-exploitation stages on Android devices and Windows exploit chains.

The details provided should allow other security providers to identify attacks against their customers and track down victims and other similar attacks carried out by the same threat actor.

Title of article updated shortly after publication, replacing term “massive” with “sophisticated” as there is no information on the scale of this operation to support the original wording.