Google’s Project Zero revealed a novel, complex, well-engineered campaign of targeted attacks. It sounds like another one of those “nation-state” attacks that researchers love to bang on about. But was it?
It all happened about a year ago. So why are they only talking about it now?
There are more questions than answers. In today’s SB Blogwatch, we fill in the blanks.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A Driver’s Last Hello.
Project Zero Keeps Schtum
What’s the craic? Catalin Cimpanu reports—“Google reveals sophisticated Windows and Android hacking operation”:
The attacks were carried out via two exploit servers delivering different exploit chains via watering hole attacks. … Both exploit servers used Google Chrome vulnerabilities to gain an initial foothold. … Once an initial entry point was established in the user’s browsers, attackers deployed an OS-level exploit to gain more control of the victim’s devices.
Overall, Google described the exploit chains as “designed for efficiency & flexibility [using] well-engineered, complex code with a variety of novel exploitation methods.” … But Google stopped short of providing any other details about the attackers or the type of victims.
A nation-state, perhaps? Dan Goodin adds—“Not your average hackers”:
Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). … It does show above-average skill by a professional team of hackers.
The attackers obtained remote code execution by exploiting the Chrome zero-day and several recently patched Chrome vulnerabilities. All of the zero-days were used against Windows users. None of the attack chains targeting Android devices exploited zero-days, but the Project Zero researchers said it’s likely the attackers had Android zero-days at their disposal.
Says who? Google’s anonymous Project Zero gnomes blog thuswise—“In-the-Wild”:
Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits in the wild. Through partnering with the Google Threat Analysis Group (TAG), one of the first results of this initiative was the discovery of a watering hole attack in Q1 2020 performed by a highly sophisticated actor.
We understand this attacker to be operating a complex targeting infrastructure, though it didn’t seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all).
Exploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor’s operation set these apart. We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation … and what is publicly known.
Sounds like Chrome is getting as bad as IE was. thegarbz doesn’t agree:
Horse****. … Chrome is pretty much the opposite. … IE’s security structure didn’t exist and it employed a extension set which was actively insecure by design.
Chrome is the new IE in the way every software is the new IE, not in the “bad ways” but rather in the completely expected ways: it has bugs. [Don’t] pretend that there’s any software out there which doesn’t.
What about a colorful metaphor? panton41 bull’s-eyes womp rats:
Computer security is like physical security. You can build an invincible space station the size of a small moon that can defeat an armada of capital ships with the most powerful weapons known, then the plans get leaked and some yokel farm boy from a desert planet comes along in a snub fighter, shoots a couple missiles down the exhaust pipes and BOOM! it’s all over.
Wait. Pause. What are we missing? raymorris reads between the lines:
The Google team went into great detail about the vulnerabilities and the details of the exploit chains. Then nothing about what the attackers did after they achieved persistence.
They also said it was a watering hole attack, but I see no mention of what kind of watering holes — who the targets were. Given the level of detail about the exploits, I suspect that the reason there is no mention of the targets and what the bad [guys] did with the access is because that was a conscious decision to not publish that information.
I guess what we can glean from it is that the attackers were technically sophisticated and put a lot of time and effort into it. Typical ransomware attacks don’t normally require that level of effort. The attackers were probably doing something else, something that required spending all of that time.
I know, right? Crito agrees:
Would love a list of affected websites, if just to know how wide of a net was being cast. Given it was a chain of several zero days, hoping the targeted users were pretty narrow.
Cutting to the chase, it’s sxpert:
Sounds like a state actor, or their providers like NSO.
Meanwhile, YetAnotherAnonymousAppellation reminds us of the timeline:
This is a report on something that happened almost a year ago.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.