Hacking

A threat actor exploited 11 zero-day flaws in 2020 campaigns

A hacking group has employed at least 11 zero-day flaws as part of an operation that took place in 2020 and targeted Android, iOS, and Windows users.

Google’s Project Zero security team published a report about the activity of a mysterious hacking group that operated over the course of 2020 and exploited at least 11 zero-day vulnerabilities in its attacks on Android, iOS, and Windows users.

Google researchers observed two separate waves of attacks that took place in February and October 2020, respectively. Threat actors set up malicious sites in a series of watering hole attacks that were redirecting visitors to exploit servers hosting exploit chains for Android, Windows, and iOS devices.

“In October 2020, Google Project Zero discovered seven 0-day exploits being actively used in-the-wild. These exploits were delivered via “watering hole” attacks in a handful of websites pointing to two exploit servers that hosted exploit chains for Android, Windows, and iOS devices.” wrote the popular Project Zero researcher Maddie Stone. “These attacks appear to be the next iteration of the campaign discovered in February 2020 and documented in this blog post series.”

Since February 2020, the same hacking group set up at least a couple dozen websites in its attacks, experts noticed that the threat actors relied on both zero-day vulnerabilities and known flaws.

Nonetheless, the threat actor behind the attacks also showed the ability to replace zero-days on the fly once one was detected and patched by software vendors.

Below the exploits that were delivered based on the device and browser in the last wave of attacks:

Exploit ServerPlatformBrowserRenderer RCESandbox EscapeLocal Privilege Escalation
1iOSSafariStack R/W via Type 1 Fonts (CVE-2020-27930)Not neededInfo leak via mach message trailers (CVE-2020-27950)Type confusion with turnstiles (CVE-2020-27932)
1WindowsChromeFreetype heap buffer overflow(CVE-2020-15999)Not neededcng.sys heap buffer overflow (CVE-2020-17087)
1Android** Note: This was only delivered after #2 went down and CVE-2020-15999 was patched.ChromeV8 type confusion in TurboFan (CVE-2020-16009)UnknownUnknown
2AndroidChromeFreetype heap buffer overflow(CVE-2020-15999)Chrome for Android head buffer overflow (CVE-2020-16010)Unknown
2AndroidSamsung BrowserFreetype heap buffer overflow(CVE-2020-15999)Chromium n-dayUnknown

Below the list of zero-day flaws exploited in the February 2020 campaign:

while the zero-day flaws exploited in the October 2020 attacks are:

At the time of this writing, Google has yet to attribute these campaigns to any specific threat actor and it is still unclear if the attacks have been conducted by a nation-state actor.

“The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero.” concludes the post. “Project Zero closed out 2020 with lots of long days analyzing lots of 0-day exploit chains and seven 0-day exploits. When combined with their earlier 2020 operation, the actor used at least 11 0-days in less than a year.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

20 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.