Google’s Threat Analysis Group (TAG) has discovered four new separate zero-day vulnerabilities. They exist in popular web browsers such as Chrome, Safari, and Internet Explorer. State-sponsored threat groups were observed exploiting these flaws in separate campaigns.
What was discovered?
According to Google, around 33 zero-day exploits, so far, have been used in attacks that were publicly revealed this year. It is 11 more than the total number of zero-day exploits observed last year.
According to a recent revelation, a commercial surveillance software vendor has developed three exploits for the new zero-day flaws.
Moreover, two government-backed threat groups have purchased those exploits to use in their attack campaigns.
Two of the exploits were used to abuse vulnerabilities in Chrome. One of the two zero-day flaws (CVE-2021-21166) was detected in February and the other (CVE-2021-30551) in June.
All four vulnerabilities have now been patched by the respective vendors.
The attack vector used
Exploits for both RCE flaws (CVE-2021-21166 and CVE-2021-30551) that exist in the Chrome renderer were propagated with one-time links sent via email to targeted Armenian individuals.
Recipients who clicked on the links were led to a webpage that was created to gather system information, along with other data such as time zone, screen resolution, browser plug-ins, and language.
The attack chain involved an intermediate phase, in which attacks were found to be collecting other information such as the CPU and BIOS information and CPU and OS version.
Furthermore, a Russian threat actor was observed delivering an exploit for the Webkit vulnerability (CVE-2021-1844) in a credential theft campaign aimed at multiple organizations in Western Europe.
Today, nation-state cybercriminals appear more interested in finding and exploiting new zero-day vulnerabilities than ever. For this, they often head towards security and surveillance software developers with expertise in this area. This further results in the evolution of vendors that are commercially involved in the business of surveillance software and zero-day exploits. Therefore, the number of zero-day exploits being disclosed and used for attacks may increase in the near future.