A group of hackers exploited a total of 11 zero-day vulnerabilities and a group of compromised websites to infect fully patched iOS, Android, and Windows devices.
A blog post by Google’s Project Zero team details how the hacks began in February 2020 and went on for at least eight months. The attacks use a large range of techniques, vulnerability types, and attack vectors.
As reported by ArsTechnica, the first four zero-days targeted Android and Windows machines running Chrome. Over the following eight months, the hackers expanded the scope of the attacks to include seven vulnerabilities that impacted iOS and Safari. Various compromised websites were used to distribute various exploits, tailored to the target device and web browser used.
The hacking group was able to respond quickly, deploying new attacks when security patches were applied. The report says the flexibility of the attacks indicates a high level of skill among the bad actors deploying the attacks.
“Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero,” wrote Project Zero researcher Maddie Stone. “The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out.”
For more information and details of the attacks, visit the Google Project Zero blog.
(Via AppleInsider)
