Google publishes details of advanced hack with four zero days

Spread the love

Google has released details about an attack that took place on Android and Windows devices nearly a year ago. The attackers used various zero-days and known vulnerabilities, including a sandbox escape and a privilege escalation.

Details about the hack are in a six-part blog post series from Google’s Project Zero team. It describes a targeted attack through a watering hole, in which a domain that a victim frequently uses or visits is infected with malware. It would be an advanced attack in which the hackers use complex code and use many different types of exploits. The attackers also managed to circumvent detection techniques.

In the attack, the hackers exploited four bugs in Google Chrome, one of which was a zero day. They also used three zerodays in Windows, two of which were in the operating system’s font library, to do two sandbox escapes. For Android, an already known exploit was used to perform a privilege escalation. The zeroday in Chrome, CVE-2020-6418, was in the TurboFan component and was fixed last February. The vulnerabilities in Windows were vulnerabilities in the Adobe Type Manager Font Driver. Those were CVE-2020-0938 and CVE-2020-1020. There was also a buffer overflow vulnerability in CSRSS, CVE-2020-1027. The last three were repaired in April.

The attackers entered via iframes on websites. After that, a zeroday was used in Chrome, where on Windows zeroday was also used first to escape from that sandbox. A privilege escalation was then performed that allowed a payload to be installed on a system.

Google saw some notable aspects of the malware. For example, there was the fact that the attackers added logging to the Android malware. In addition, detailed information was sent to the command-and-control servers if errors occurred while running the malware. Google says the attackers were so sophisticated that they most likely also had access to zerodays on Android, but the researchers didn’t come across any. The company also does not say who the attacks were aimed at or who is behind it.

You might also like