Google has published a six-part report today detailing a sophisticated hacking operation that the company detected in early 2020 and which targeted owners of both Android and Windows devices.
The attacks were carried out via two exploit servers delivering different exploit chains via watering hole attacks[1], Google said today.
"One server targeted Windows users, the other targeted Android," Project Zero, one of Google's security teams, said in the first of six blog posts[2].
Google said that both exploit servers used Google Chrome vulnerabilities to gain an initial foothold on victim devices. Once an initial entry point was established in the user's browsers, attackers deployed an OS-level exploit to gain more control of the victim's devices.
The exploit chains included a combination of both zero-day and n-day vulnerabilities, where zero-day refers to bugs unknown to the software makers, and n-day refers to bugs that have been patched but are still being exploited in the wild.
All in all, Google said the exploit servers contained:
- Four "renderer" bugs in Google Chrome, one of which was still a 0-day at the time of its discovery.
- Two sandbox escape exploits abusing three 0-day vulnerabilities in the Windows OS.
- And a "privilege escalation kit" composed of publicly known n-day exploits for older versions of the Android OS.
The four zero-days, all of which were patched in the spring of 2020, were as follows:
Google said that while they did not find any evidence of Android zero-day exploits hosted on the exploit servers, its security researchers believe that the threat actor most likely had access to Android zero-days as well, but most likely weren't hosting them on the servers when its researchers discovered it.
Google: Exploit chains were complex and well-engineered
Overall, Google described the exploit