Google’s Project Zero on Tuesday introduced a six-part series that offers an analysis of four zero-day vulnerabilities on Windows and Chrome, and known-day Android exploits it found during the team’s extensive research last year.

In a blog post the team said it uncovered the vulnerabilities after they found a watering hole attack in Q1 2020 performed by a highly sophisticated threat actor. The researchers said they discovered two servers that delivered different exploit chains. One server targeted Windows users, the other targeted Android. From the exploit servers, the Project Zero team extracted the following:

  • Renderer exploits for four bugs in Chrome, one of which was still a zero- day at the time of the discovery.
  • Two sandbox escape exploits abusing three zero day vulnerabilities in Windows.
  • A “privilege escalation kit” composed of publicly-known N-day (known-day) exploits for older versions of Android. Based on the actor’s sophistication, the researchers think it’s likely that they had access to Android zero-days, but they didn’t discover any in their analysis.

Throughout the six-part series, the researchers aim to share the technical details of different portions of the exploit chain, largely focused on what the team found most interesting. They include a detailed analysis of the vulnerabilities exploited and each of the different exploit techniques; a deep look into the bug class of one of the Chrome exploits, and an in-depth teardown of the Android post-exploitation code.

The four zero-days discovered by Project Zero have been fixed by the appropriate vendors and include the following:

  • CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed February 2020)
  • CVE-2020-0938 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1020 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1027 – Windows CSRSS Vulnerability (fixed April 2020)

Hackers look to exploit mobility trend

Hank Schless, senior manager, security solutions at Lookout, said the discovery by Project Zero illustrates that threat actors see computers and mobile devices as equally valuable targets. And as society becomes more reliant on Android and iOS, mobile devices become as valuable targets as laptops and desktops. 

“The Android component exploits older versions of the mobile operating system, which is a common tactic,” Schless said. “I think there will be an increase in zero-day attacks on mobile operating systems over the next year or two as reliance on mobile devices increases. Attackers constantly adapt their tactics to be effective on the platforms their targets use most. As individuals and enterprises become more reliant on mobile, attackers are following suit and prioritizing mobile devices, users, and apps as their primary targets. Attackers also know that, even if users have automatic updates turned on, they tend to be slow to update their apps and operating systems. “

Schless said watering holes are used frequently to lure targets to malicious websites. From there, the attacker can phish the victim for login credentials. Once the target visits the malicious site, the attacker can phish the victim for login credentials, deliver a malicious app, or exploit a vulnerability in the web browser to gain access to the administrative privileges on the device itself. 

“This attack chain is viable for targeting both mobile and desktop users, but has a greater chance of success on mobile devices because of their smaller screen and simplified user experience,” Schless explained.

Chad Anderson, senior security researcher at DomainTools, added that the vulnerabilities uncovered by Project Zero are significant for a number of reasons, but mainly because while they have been patched, the Android landscape remains very diverse with a large number of devices that rarely and often never get updated.

“That means we have a class of interesting vulnerabilities in the Chrome V8 JavaScript rendering engine that are reliable exploitation vectors going forward that allow for privilege escalation on both Android and Windows devices,” Anderson said.

Anderson said the Google findings are also significant because they found a very sophisticated actor writing Android zero-days and evidence would indicate that post-exploitation they have more device-specific exploits to employ. He said while these exploits have been burned, they do reveal the hand of a confident and capable attacker.

“Finally, Project Zero says that there is clear evidence that the attacker is developing exploits against older Android devices long past their manufacturers support date,” Anderson said. “These devices linger for a long time and are rarely updated. The attacker sees this and knows there is value in continuing to exploit those devices going forward long past their support date.”

Chris Morales, head of security analytics at Vectra, said usually when an attack gets termed “advanced” it’s because some prevention vendor was bypassed and had to explain to its customers why they didn’t detect the intrusion.

Morales said the attack described by Project Zero does look thorough and actually advanced – so much so that while the attack has not been attributed to anyone, the number of people with the skill and means to do this is very small.

“The SolarWinds breach exposed the entire attack surface of thousands of companies,” Morales said. “This is a universal method of infection with a broad attack surface. Combine the two and there’s a serious need for behavior-based lateral movement detection in every industry.”