So, what do we have here? We have multiple zero-day flaws. A months-long attack campaign. And a group of exceptionally sophisticated hackers.
A threat actor group exploited 11 zero-day vulnerabilities in a campaign that lasted for nine sweet months. This attack leveraged compromised websites to infect fully patched devices running iOS, Android, and Windows.
A bit of backstory
- In February 2020, a watering hole attack was discovered by Google TAG and Project Zero, which was conducted by a highly advanced threat actor. Four zero-day flaws (CVE-2020-6418, CVE-2020-0938, CVE-2020-1027, and CVE-2020-1027) were being delivered in various exploit chains in Windows, Android, and Chrome.
- In October 2020, the same threat actor made a comeback and abused seven zero-days (CVE-2020-15999, CVE-2020-17087, CVE-2020-16009, CVE-2020-16010, CVE-2020-27930, CVE-2020-27950, CVE-2020-27932) in the wild.
About the attack
- All the exploits were propagated via watering hole attacks that redirected targets to an infrastructure that installed diverse malware depending on the browsers and devices.
- While the two servers spotted in February exploited only Windows and Android, the latter one targeted iOS devices too.
The bottom line
As of now, the threat actor responsible for these exploits is unknown, along with the number of people affected. This incident only further highlights the importance of keeping apps and operating software updated and patched. However, what’s jarring is that none of these defenses could have protected anyone from these attackers.