Introduction
Recent cybersecurity reports have highlighted a series of exploit campaigns that have targeted mobile users through vulnerabilities in Apple Safari and Google Chrome browsers. Despite patches being available, these flaws have been actively exploited by attackers to deploy information-stealing malware. This article delves into the specifics of these exploit campaigns, including the vulnerabilities exploited, the methods used by attackers, and the implications for cybersecurity.
Exploited Vulnerabilities
Between November 2023 and July 2024, researchers observed several exploit campaigns taking advantage of patched vulnerabilities in major browsers. The campaigns primarily targeted users through watering hole attacks on Mongolian government websites. The flaws exploited in these campaigns include:
- CVE-2023-41993: A WebKit vulnerability in Safari that allows arbitrary code execution via specially crafted web content. Apple addressed this issue in iOS 16.7 and Safari 16.6.1 in September 2023.
- CVE-2024-4671: A use-after-free vulnerability in Chrome's Visuals component, which permits arbitrary code execution. Google fixed this flaw in Chrome version 124.0.6367.201/.202 for Windows, macOS, and Linux in May 2024.
- CVE-2024-5274: A type confusion issue in the V8 JavaScript and WebAssembly engine leading to arbitrary code execution. Google resolved this vulnerability in Chrome version 125.0.6422.112/.113 for Windows, macOS, and Linux in May 2024.
Attack Methods and Targets
The observed attacks involved compromising Mongolian government websites, specifically cabinet.gov.mn and mfa.gov.mn. The attackers used these sites to deliver exploits via malicious iframe components.
When accessed from an iPhone or iPad, the compromised sites would use the iframe to first serve a reconnaissance payload. This payload would then download and execute a secondary payload leveraging the WebKit exploit (CVE-2023-41993) to exfiltrate browser cookies. This method mirrors previous use of a cookie-stealing framework detailed by Google TAG in connection with iOS zero-day exploits in 2021.
In another phase of the campaign, particularly in July 2024, the mfa.gov.mn site was again infected to deliver a JavaScript code targeting Android users with Chrome. This code combined the exploits CVE-2024-5274 and CVE-2024-4671 to deploy a stealer payload capable of pilfering cookies, passwords, credit card data, and more.
Exploit Reuse and Implications
The patterns observed in these campaigns indicate that the exploits used were previously associated with commercial surveillance vendors (CSVs) such as Intellexa and NSO Group. The fact that these exploits were repurposed for n-day attacks by nation-state actors raises concerns about the source and distribution of these vulnerabilities. It is possible that the attackers acquired these exploits from vulnerability brokers or directly from the spyware vendors.
The campaigns demonstrate the continued efficacy of watering hole attacks in targeting specific populations, such as government employees, through compromised legitimate sites. Despite the availability of patches, the persistence of unpatched devices among targeted users highlights ongoing challenges in cybersecurity.
Conclusion
The recent exploit campaigns underscore the sophisticated tactics employed by cyber attackers to exploit known vulnerabilities in widely used browsers. By leveraging patched flaws through strategic watering hole attacks, these campaigns have demonstrated the persistent threat posed by advanced persistent threat actors and commercial spyware vendors. As attackers adapt and repurpose vulnerabilities, the need for timely patching and robust cybersecurity measures remains crucial.
0 Comments