Cybersecurity researchers have identified several exploit campaigns in the wild that have used patched flaws in Apple’s Safari and Google Chrome browsers to infect mobile users with information-stealing malware.
“These companies presented exploits for n days for which patches were available, but they were still effective against unpatched devices,” Google Threat Analysis Group (TAG) researcher Clement Lessin said in a report shared with The Hacker News.
The activity observed between November 2023 and July 2024 is notable for the fact that the exploits were carried out using a hacker attack on the Mongolian government websites cabinet.gov(.)mn and mfa.gov(.)mn.
The set of intrusions is attributed with moderate confidence to a Russian state threat actor codenamed APT29 (aka Midnight Blizzard), with observed parallels between exploits used by the companies and those previously associated with commercial video surveillance (CSV) vendors Intellexa and NSO Group, indicating reuse of exploits.
The vulnerabilities in Campaign Center are listed below –
- CVE-2023-41993 – A flaw in WebKit that could lead to arbitrary code execution when handling specially crafted web content (Fixed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)
- CVE-2024-4671 – A use-after-free bug in the Chrome visual component that could lead to arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS and version 124.0.6367.201 for Linux in May 2024)
- CVE-2024-5274 – Type confusion in the V8 JavaScript engine and WebAssembly that could lead to arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS and version 125.0.6422.112 for Linux in May 2024)
The campaigns in November 2023 and February 2024 are said to have involved hacking two Mongolian government websites – both on the former and a single mfa.gov(.)mn on the latter – to deliver an exploit for CVE-2023-41993 using a malicious of an iframe component that points to a domain controlled by the performer.
“When visited using an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload that performed validation checks before finally downloading and deploying another payload using a WebKit exploit to remove browser cookies from the device,” Google said.
Payload is a cookie hijacker structure that Google TAG has previously detailed in connection with 2021 year of operation iOS zero-day (CVE-2021-1879) to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud, and send them via WebSocket to a controlled IP address to attackers.
“The victim must have an open session on these websites with Safari in order for cookies to be successfully stolen,” Google said at the time, adding that “attackers used LinkedIn messaging to target government officials from Western European countries by sending them malicious links”.
The fact that the cookie hijacker module also highlights the website “webmail.mfa.gov(.)mn” suggests that Mongolian civil servants were a likely target of the iOS campaign.
The mfa.gov(.)mn website was infected a third time in July 2024 due to the injection of JavScript code that redirected Android users using Chrome to a malicious link that served an exploit chain combining CVE flaws -2024-5274 and CVE-2024-4671 to deploy a browser hijacking payload.
Specifically, the attack sequence exploits CVE-2024-5274 to compromise the renderer and CVE-2024-4671 to achieve a sandbox exit vulnerability that ultimately allows Chrome to exit site isolation protection and delivery of malware theft.
“This campaign provides a simple binary removal of all Chrome crash reports and the transfer of subsequent Chrome databases back to the track-adv(.)com server — similar to the core endpoint payload seen in previous iOS campaigns,” Google TAG noted.
The tech giant further revealed that the exploits were used in the November 2023 watering hole attack Intellexa in September 2023 share the same trigger code, a pattern also seen in the triggers for CVE-2024-5274, which was used in the July 2024 watering hole attack and the May 2024 NSO Group attack.
Moreover, the exploit for CVE-2024-4671 is said to be similar to a previous Chrome sandbox escape that Intellexa used in the wild for another Chrome flaw CVE-2021-37973which was resolved by Google in September 2021.
While it is currently unclear how attackers were able to obtain exploits for the three flaws, the results clearly show that nation-state actors are using n-day exploits, which were originally used by CSV as zero-days.
This, however, raises the possibility that the exploits could have been obtained from a vulnerability broker who previously sold them to spyware vendors as zero-days whose steady supply holds the ball how Apple and Google strengthen protection.
“Furthermore, watering hole attacks remain a threat when sophisticated exploits can be used to target those who regularly visit the sites, including on mobile devices,” the researchers said. “Vulnerabilities can still be an effective way for n-day exploits by mass targeting populations that may still be using unpatched browsers.”
