Watering-hole attacks executed by ‘experts’ exploited Chrome, Windows and Android flaws and were carried out on two servers.

Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against Windows and Android platforms.

Working together, researchers from Google Project Zero and the Google Threat Analysis Group (TAG) uncovered the attacks, which were “performed by a highly sophisticated actor,” Ryan from Project Zero wrote in the first of a six-part blog series on their research.

“We discovered two exploit servers delivering different exploit chains via watering-hole attacks,” he wrote. “One server targeted Windows users, the other targeted Android.”

2020 Reader Survey: Share Your Feedback to Help Us Improve

Watering-hole attacks target organizations’ oft-used websites and inject them with malware, infecting and gaining access to victims’ machines when users visit the infected sites.

In the case of the attacks that Google researchers uncovered, attackers executed the malicious code remotely on both the Windows and Android servers using Chrome exploits. The exploits used against Windows included zero-day flaws, while Android users were targeted with exploit chains using known “n-day” exploits, though they acknowledge it’s possible zero-day vulnerabilities could also have been used, researchers said.

The team spent months analyzing the attacks, including examining what happened post-exploitation on Android devices. In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.

Zero-Day Bugs

The researchers posted root-cause analyses for each of the four Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.

The first, CVE-2020-6418, is a type confusion bug prior to 80.0.3987.122 leading to remote-code execution. It exists in V8 in Google Chrome (Turbofan), which is the component used for processing JavaScript code. It allows a remote attacker to potentially cause heap corruption via a crafted HTML page.

The second, CVE-2020-0938, is a  a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted BlendDesignPositions object. In the attacks, it was chained with CVE-2020-1020, another Windows Font Driver flaw, this time in the processing of the VToHOrigin PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.

“On Windows 8.1 and earlier versions, the vulnerability was chained with CVE-2020-1020 (a write-what-where condition) to first set up a second stage payload in RWX kernel memory at a known address, and then jump to it through this bug,” according to Google. “The exploitation process was straightforward because of the simplicity of the issue and high degree of control over the kernel stack. The bug was not exploited on Windows 10.”

And finally, CVE-2020-1027 is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all four vulnerabilities.

This vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (CVE-2020-6418). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (CVE-2020-1020 and CVE-2020-0938).”

All have all since been patched.

Advanced Capabilities

From their understanding of the attacks, researchers said that threat actors were operating a “complex targeting infrastructure,” though, curiously, they didn’t use it every time.

“In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,” according to researchers. “In these cases, the attacker took a slower approach: sending back dozens of parameters from the end user’s device, before deciding whether or not to continue with further exploitation and use a sandbox escape.”

Still other attack scenarios showed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. “In the time we had available before the servers were taken down, we were unable to determine what parameters determined the ‘fast’ or ‘slow’ exploitation paths,” according to the post.

Overall, whoever was behind the attacks designed the exploit chains to be used modularly for efficiency and flexibility, showing clear evidence that they are experts in what they do, researchers said.

“They [use] well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,” according to the post.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.