Google’s Threat Analysis Group (TAG) has discovered four in-the-wild 0-day campaigns targeting four separate vulnerabilities this year, all which can be particularly dangerous when exploited and have a high rate of success:
CVE-2021-33742 in Internet Explorer, and
CVE-2021-1879 in WebKit (Safari).
Over the past several months, TAG have discovered two Chrome renderer remote code execution 0-day exploits, CVE-2021-21166 and CVE-2021-30551, which they believe to be used by the same actor. CVE-2021-21166 was discovered in February 2021 while running Chrome 88.0.4323.182 and CVE-2021-30551 was discovered in June 2021 while running Chrome 91.0.4472.77.
According to TAG, both of these 0-days were delivered as one-time links sent by email to the targets, all of whom TAG believes were in Armenia. The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users. When a target clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server. The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins, and available MIME types. This information was collected by the attackers to decide whether or not an exploit should be delivered to the target. Using appropriate configurations, TAG were able to recover two 0-day exploits (CVE-2021-21166 & CVE-2021-30551), which were targeting the latest versions of Chrome on Windows at the time of delivery.
After the renderer is compromised, TAG explains, an intermediary stage is executed to gather more information about the infected device including OS build version, CPU, firmware and BIOS information, likely collected in an attempt to detect virtual machines and deliver a tailored sandbox escape to the target. In TAG's environment, they did not receive any payloads past this stage. While analyzing CVE-2021-21166 TAG realized the vulnerability was also in code shared with WebKit and therefore Safari was also vulnerable. Apple fixed the issue as CVE-2021-1844. TAG do not have any evidence that this vulnerability was used to target Safari users.
The Safari exploit is used by a likely Russian government-backed actor, and is not connected to the other three exploits, TAG says. In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads. The campaign targeting iOS devices coincided with campaigns from the same actor targeting users on Windows devices to deliver Cobalt Strike, one of which was previously described by Volexity.
After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP, according to TAG. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, are mitigated in browsers with Site Isolation enabled such as Chrome or Firefox, TAG says.
Vishal Jain, Co-Founder and CTO at Valtix, says, "Attackers will always find ways to find zero-day vulnerabilities and get inside the enterprise network from the front door. This applies to both on-prem and public cloud environments. An important element of advanced cyberattacks are ping backs to command and control sites once a foothold is established. These infiltrations can exist for months on your network before they are discovered. Thus, enterprises need to have tools in place to have real-time visibility, monitor drifts and use a layered defense approach to limit the blast radius by preventing lateral movement of threats and putting proper security controls for outbound traffic to prevent exfiltration."
TAG's discovery of these exploits correlate to an increase in attackers using 0-day exploits, TAG says. Attackers needing more 0-day exploits to maintain their capabilities is a good thing, and it reflects increased cost of the attackers from security measures that close known vulnerabilities. However, the increasing demand for these capabilities and the ecosystem that supplies them is more of a challenge. 0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use.
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, says, "The scariest cyber threats are the ones you can’t see coming. As IT security teams get better at protecting business from threat actors who exploit known vulnerabilities, these same actors are moving to sneak attack, or engineered, methods of hacking businesses. Zero-day attacks are increasing because they are simply becoming the path of least resistance. We are witnessing the economics of cyber security at play.
Bar-Dayan adds, "As my friend Andy Smeaton, DataRobot global CISO, recently said, ‘Cybersecurity is a race between cyber defenders and cyber threat actors. While cyber defenders need to patch and mitigate all vulnerabilities across all devices to protect their organization, just one vulnerability could be enough for cyber threat actors to compromise an entire organization. When it comes to zero-day, attackers will have a significant advantage. For any security pro, a zero-day vulnerability is the most challenging to protect against.’ I couldn’t agree more."
For more findings, please visit https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/