Google: four zero-day flaws have been exploited in the wild

Google security experts revealed that Russia-linked APT group targeted LinkedIn users with Safari zero-day.

Security researchers from Google Threat Analysis Group (TAG) and Google Project Zero revealed that four zero-day vulnerabilities have been exploited in the wild earlier this year.

The four security flaws were discovered earlier this year and affect Google Chrome, Internet Explorer, and WebKit browser engine. Below the list of the zero-day issues disclosed by the experts:

• CVE-2021-1879: Use-After-Free in QuickTimePluginReplacement
• CVE-2021-21166: Chrome Object Lifecycle Issue in Audio
• CVE-2021-30551: Chrome Type Confusion in V8
• CVE-2021-33742: Internet Explorer out-of-bounds write in MSHTML

The vulnerabilities were exploited in three different campaigns analyzed by the researchers, it is interesting to note that three out of four exploits were developed by the same surveillance firm,. The fourth exploit (CVE-2021-1879) was likely developed by a Russia-linked APT group.

“The four exploits were used as a part of three different campaigns. As is our policy, after discovering these 0-days, we quickly reported to the vendor and patches were released to users to protect them from these attacks.” reads the post published by Google. “We assess three of these exploits were developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors. Google has also published root cause analyses (RCAs) on each of the 0-days.”

Google researchers also provide information about the exploitation of zero-day vulnerabilities in attacks that took place in the first half of 2021. According to the experts, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year, 11 more than the total number from zero-day exploits used in attacks during 2020.

The CVE-2021-1879 vulnerability exploited by the Russia-linked cyberespionage group resides in the WebKit flaw, it could be exploited by an attacker to trick the victims into processing maliciously crafted web content that can lead to universal cross-site scripting attacks.

“Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by Apple that addressed the flaw in March with the release of out-of-band updates for iOS, iPadOS, macOS and watchOS.

The IT giant addressed the issue by improving the management of object lifetimes.

The CVE-2021-1879 was reported by Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group.

Google researchers explained that the zero-day was used in attacks aimed at government officials from western European countries.

“In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads. The campaign targeting iOS devices coincided with campaigns from the same actor targeting users on Windows devices to deliver Cobalt Strike, one of which was previously described by Volexity.” continues the report.

“After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-​2021-1879.”

Google researchers did not attribute the attacks to a specific APT group, however, Microsoft researchers who investigated the campaign attributed them to Nobelium.

The NOBELIUM APT is the threat actor that conducted the supply chain attack against SolarWinds which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]