Mar 19, 2021 17:00:00

Google's vulnerability response team reports that '11 unknown vulnerabilities were used by skilled hackers'

Google's security team

Project Zero , which specializes in zero-day attacks that take advantage of software vulnerabilities for which no countermeasures have been found, said, 'Seven by a hacker group targeting devices running Windows, iOS, and Android. Zero-day vulnerability was used. ' The group that seems to be the same is believed to have used four zero-day vulnerabilities in January-February 2020, and it is said that they were attacking by making full use of a total of 11 zero-day vulnerabilities. is.

Project Zero: In-the-Wild Series: October 2020 0-day discovery
https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html

“Expert” hackers used 11 zerodays to infect Windows, iOS, and Android users | Ars Technica

https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/

Project Zero researcher Maddie Stone reported on March 18, 2021 about a hacker group using seven zero-day vulnerabilities. It is said that this group is conducting a watering hole attack that falsifies the website accessed by the attack target, injects malware, and delivers the malware to the device of the visiting user.

The hacker group is conducting a chain of attacks with solid code and multiple techniques, and the security team points out that it is 'very sophisticated.' Project Zero has identified the group as launching a watering hole attack targeting Windows and Android users in January-February 2020. At that time, the group was using four zero-day vulnerabilities, and it seems that it was possible to launch an attack on Chrome with the latest patch applied.

What is the 'very sophisticated cyber attack' method discovered by Google's vulnerability countermeasure team? --GIGAZINE

In October 2020, eight months after its last discovery, Project Zero discovered that the same group was conducting a watering hole attack using seven zero-day vulnerabilities. The targeted 'drinking ground' website identified the visitor's browser and operating system and redirected to a page with the best attack method for each. Hacker groups were immediately implementing attacks using the new zero-day vulnerabilities even after the patch was applied following the previous report by Project Zero and the previously used zero-day vulnerabilities became unavailable. is.

The seven zero-day vulnerabilities are as follows. This time, not only Windows and Android, but also zero-day vulnerabilities used to attack iOS devices have been discovered.

・CVE-2020-15999 …… Chrome font drawing library ・ Freetype heap buffer overflow attack
・CVE-2020-17087 …… Heap buffer overflow attack targeting cng.sys on Windows
・CVE-2020-16009 …… Chrome compiler ・ TurboFan deprecated map type error attack
・CVE-2020-16010 …… Android version Chrome heap buffer overflow attack
・CVE-2020-27930 …… Reading / writing any stack via Safari Type 1 font
・CVE-2020-27950 …… Disclosure of iOS XNU kernel memory in mach message trailer
・CVE-2020-27932 …… Mistake attack on iOS kernel using turnstiles

'These vulnerabilities cover a fairly wide range of issues, from the latest just-in-time compilers to large caches of font bugs,' Stone said in a post. It seems that it took a long time to analyze due to the obfuscation of the attack method, and some methods seemed to be novel for Project Zero.

Detailed information about the group that carried out the series of attacks has not been clarified, and it is a matter of future concern whether the hackers are members of the already known group or a new group. ..