A threat actor exploited 11 zero-day flaws in 2020 campaigns

A hacking group has employed at least 11 zero-day flaws as part of an operation that took place in 2020 and targeted Android, iOS, and Windows users.

Google’s Project Zero security team published a report about the activity of a mysterious hacking group that operated over the course of 2020 and exploited at least 11 zero-day vulnerabilities in its attacks on Android, iOS, and Windows users.

Google researchers observed two separate waves of attacks that took place in February and October 2020, respectively. Threat actors set up malicious sites in a series of watering hole attacks that were redirecting visitors to exploit servers hosting exploit chains for Android, Windows, and iOS devices.

“In October 2020, Google Project Zero discovered seven 0-day exploits being actively used in-the-wild. These exploits were delivered via “watering hole” attacks in a handful of websites pointing to two exploit servers that hosted exploit chains for Android, Windows, and iOS devices.” wrote the popular Project Zero researcher Maddie Stone. “These attacks appear to be the next iteration of the campaign discovered in February 2020 and documented in this blog post series.”

Since February 2020, the same hacking group set up at least a couple dozen websites in its attacks, experts noticed that the threat actors relied on both zero-day vulnerabilities and known flaws.

Nonetheless, the threat actor behind the attacks also showed the ability to replace zero-days on the fly once one was detected and patched by software vendors.

Below the exploits that were delivered based on the device and browser in the last wave of attacks:

Exploit Server	Platform	Browser	Renderer RCE	Sandbox Escape	Local Privilege Escalation
1	iOS	Safari	Stack R/W via Type 1 Fonts (CVE-2020-27930)	Not needed	Info leak via mach message trailers (CVE-2020-27950)Type confusion with turnstiles (CVE-2020-27932)
1	Windows	Chrome	Freetype heap buffer overflow(CVE-2020-15999)	Not needed	cng.sys heap buffer overflow (CVE-2020-17087)
1	Android** Note: This was only delivered after #2 went down and CVE-2020-15999 was patched.	Chrome	V8 type confusion in TurboFan (CVE-2020-16009)	Unknown	Unknown
2	Android	Chrome	Freetype heap buffer overflow(CVE-2020-15999)	Chrome for Android head buffer overflow (CVE-2020-16010)	Unknown
2	Android	Samsung Browser	Freetype heap buffer overflow(CVE-2020-15999)	Chromium n-day	Unknown

Below the list of zero-day flaws exploited in the February 2020 campaign:

CVE-2020-6418 – Chrome Vulnerability in TurboFan
CVE-2020-0938 – Font Vulnerability on Windows
CVE-2020-1020 – Font Vulnerability on Windows
CVE-2020-1027 – Windows CSRSS Vulnerability

while the zero-day flaws exploited in the October 2020 attacks are:

CVE-2020-15999 – Chrome Freetype heap buffer overflow
CVE-2020-17087 – Windows heap buffer overflow in cng.sys
CVE-2020-16009 – Chrome type confusion in TurboFan map deprecation
CVE-2020-16010 – Chrome for Android heap buffer overflow
CVE-2020-27930 – Safari arbitrary stack read/write via Type 1 fonts
CVE-2020-27950 – iOS XNU kernel memory disclosure in mach message trailers
CVE-2020-27932 – iOS kernel type confusion with turnstiles

At the time of this writing, Google has yet to attribute these campaigns to any specific threat actor and it is still unclear if the attacks have been conducted by a nation-state actor.

“The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero.” concludes the post. “Project Zero closed out 2020 with lots of long days analyzing lots of 0-day exploit chains and seven 0-day exploits. When combined with their earlier 2020 operation, the actor used at least 11 0-days in less than a year.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.