Russian Hackers Exploit Chrome & Safari Flaw To Target Victims

Google’s Threat Analysis Group (TAG) has found evidence that the recent hacking campaigns have used exploits that were โ€œidentical or strikingly similarโ€ to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group.

According to the TAG report published on Thursday, Google assessed โ€œwith moderate confidenceโ€ that two watering hole campaigns were carried out by Russian government-backed hacking group “ATP29โ€ (also known asย Midnight Blizzard) targeting Mongolian government websites between November 2023 and July 2024.

A watering hole attack is a form of cyberattack that targets specific groups by compromising legitimate websites they frequently visit by infecting them with malware.

โ€œWe assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29. In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,โ€ Clement Lecigne, a TAG researcher, wrote in the report.

Googleโ€™s investigation found that the threat actor embedded malicious codes on Mongolian government websites, cabinet.gov[.]mn and mfa.gov[.]mn and compromised them between November 2023 and July 2024 by exploiting vulnerabilities in iPhoneโ€™s Safari browser and Google Chrome on Android.

For instance, the November 2023 (cabinet.gov[.]mn and mfa.gov[.]mn) and February 2024 (mfa.gov[.]mn) campaigns delivered an iOS WebKit exploit via CVE-2023-41993 to steal user account cookies stored in Safari using n-day vulnerabilities. The payload was the same cookie stealer framework that TAGย previously observedย being used in 2021 in a suspected APT29 campaign.

โ€œWhen visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device,โ€ the report added.

โ€œThe WebKit exploit did not affect users running the current iOS version at the time (iOS 16.7), working only on iOS versions 16.6.1 or older. Users withย lockdown modeย enabled were not affected even when running a vulnerable iOS version.โ€

In July 2024, mfa.gov[.]mn was compromised again to deliver a Chrome exploit chain targeting CVE-2024-5274 and CVE-2024-4671 to deploy a Chrome information stealing payload against Android users running versions from m121 to m123.

โ€œFrom a high level overview, the attack and end goal are essentially the same as the iOS one โ€“ using n-day vulnerabilities in order to steal credential cookies โ€“ with some differences on the technical side,โ€ TAG said.

All three vulnerabilities mentioned above have been exploited before by either NSO Group or Intellexa. However, it remains unclear how APT29 gained initial access to the commercially available spyware.

โ€œWhile we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,โ€ the report states.

Upon discovering the exploit, Google said it immediately notified Apple, Alphabetโ€™s Android and Google Chrome units, and the Mongolian CERT about the campaigns.

Even though the underlying vulnerabilities delivered n-day exploits for which patches were available during the suspected Russian campaign, Google noted that they would still effectively compromise unpatched devices.

Googleโ€™s findings highlight the continuing threat posed by watering hole attacks and the reuse of n-day exploits, which CSV originally used as zero-days.

To safeguard against these cyber threats, users and organizations are urged to apply patches quickly and keep software and browsers fully up-to-date for their protection.

Also, they are advised to use strong, unique passwords for different accounts, enable two-factor authentication where possible, use a good VPN, and avoid opening suspicious links from emails and texts.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post