Google has released new details about four zero-day security vulnerabilities that were exploited in the wild earlier this year. Discovered by Google’s Threat Analysis Group (TAG) and Project Zero researchers, the four zero-days were used as part of three targeted malware campaigns that exploited previously unknown flaws in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple’s Safari.
Google’s researchers also noted that 2021 has been a particularly active year for in-the-wild zero-day attacks. So far this year, 33 zero-day exploits used in attacks have been publicly disclosed — 11 more than the total number from 2020.
Google attributes some of the uptick in zero-days to greater detection and disclosure efforts, but said the rise is also due to the proliferation of commercial vendors selling access to zero-day vulnerabilities as compared to the early 2010s.
“0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” Google said in a blog post. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise, now they just need resources. Three of the four 0-days that TAG has discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors.”
With the Safari zero-day campaign, hackers used LinkedIn Messaging to target government officials from western European countries, sending malicious links that directed targets to attacker controlled domains. If the target clicked on the link from an iOS device, the infected website would initiate the attack via the zero-day.
“This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP,” Google TAG researchers said. “The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.”
Google researchers said the attackers were likely part of a Russian government-backed actor abusing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7). Google’s security team reported the zero-day to Apple, which issued a patch on March 26 through an iOS update.
The two Chrome vulnerabilities were renderer remote code execution zero-days and are believed to have been used by the same actor. Both of the zero-days were targeting the latest versions of Chrome on Windows and were delivered as one-time links sent via email to the targets. When a target clicked the link, they were sent to attacker-controlled domains and their device was fingerprinted for information that the attackers used to determine whether or not to deliver the exploit. Google said all of targets were in Armenia.
With the Internet Explorer vulnerability, Google said its researchers discovered a campaign targeting Armenian users with malicious Office documents that loaded web content within the browser.
“Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world,” Google said.
Google also published root cause analysis for all four zero-days: