Russian Cybercriminals Exploit Vulnerabilities in Safari and Chrome in a Noteworthy Cyberattack

Aug 29, 2024Ravie LakshmananBrowser Security / Vulnerability

Reported by Clement Lecigne from Google Threat Analysis Group (TAG), these campaigns utilized exploits for known vulnerabilities that were still effective on devices that had not been updated with the latest patches.

Between November 2023 and July 2024, these attacks were observed to infiltrate mobile devices through a watering hole approach on Mongolian government websites, cabinet.gov[.]mn and mfa.gov[.]mn.

These cyberattacks are attributed with moderate certainty to a state-backed Russian threat group known as APT29 (Midnight Blizzard). The tactics used in these campaigns show similarities with those employed by commercial surveillance vendors Intellexa and NSO Group, indicating a reuse of exploitation techniques.

The key vulnerabilities exploited in these campaigns are as follows:

• The WebKit flaw known as CVE-2023-41993: This vulnerability allowed for arbitrary code execution when processing specific web content. Apple addressed this issue in iOS 16.7 and Safari 16.6.1 in September 2023.

• The use-after-free flaw in Chrome’s Visuals module, CVE-2024-4671: This flaw could lead to arbitrary code execution. Google released a fix in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024.

• The type confusion flaw in V8 JavaScript and WebAssembly engine, CVE-2024-5274: This flaw could also permit arbitrary code execution. Google addressed this issue in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024.

The campaigns from November 2023 and February 2024 specifically targeted the Mongolian government websites by deploying an exploit for CVE-2023-41993 through a malicious iframe component directing users to a domain controlled by the threat actors.

Upon visiting these infected websites using an iPhone or iPad, users were unknowingly served with a reconnaissance payload through an iframe. This payload would conduct validation checks before ultimately downloading and executing another payload using the WebKit exploit, aimed at extracting browser cookies from the device.

The malicious payload revealed a cookie stealing framework previously associated with the exploitation of an iOS zero-day (CVE-2021-1879) to harvest authentication cookies from various popular websites such as Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud. These stolen cookies were then transmitted to an IP address controlled by the attackers through WebSocket.

Google pointed out that victims needed to have active sessions on these websites via Safari for successful cookie exfiltration. The attackers also utilized LinkedIn messages to send malicious links to government officials from Western European countries.

The inclusion of the website “webmail.mfa.gov[.]mn” in the cookie stealing module hints at a targeted campaign against Mongolian government workers.

In July 2024, the mfa.gov[.]mn website was compromised once again to inject JavaScript code that redirected Android users using Chrome to a malicious link. This attack vector incorporated the vulnerabilities CVE-2024-5274 and CVE-2024-4671 to deploy a payload that steals browser information.

An Image related to Google

Specifically, the attack procedure exploits CVE-2024-5274 to infiltrate the renderer and CVE-2024-4671 to accomplish a sandbox evasion vulnerability, ultimately enabling the circumvention of Chrome site isolation protections and deployment of a thief malware.

“The attack campaign deploys a basic binary that removes all Chrome Crash reports and sends the following Chrome databases to the track-adv[.]com server – a similar action to the fundamental end result noted in previous iOS campaigns,” as stated by Google TAG.

The major corporation also indicated that the exploits utilized in the November 2023 watering hole incident and by Intellexa in September 2023 exhibit the identical triggering code, a trend also noticed in the triggers for CVE-2024-5274 employed in the July 2024 watering hole situation and by NSO Group in May 2024.

Furthermore, the exploit for CVE-2024-4671 is reported to have resemblances with a previous Chrome sandbox evasion exploit employed by Intellexa in the wild in connection with another Chrome weakness CVE-2021-37973, which was rectified by Google in September 2021.

Although it is currently unclear how the threat actors obtained the exploits for the three vulnerabilities, the results clearly demonstrate the usage of n-day exploits that were initially zero-days by CSVs.

It, however, raises the possibility that the exploits might have been purchased from a vulnerability intermediary who previously supplied them to the spyware vendors as zero-days, maintaining a consistent availability which ensures continuity as Apple and Google strengthen their defenses.

“Moreover, watering hole attacks continue to pose a threat where sophisticated exploits can be utilized to target regular site visitors, including those on mobile devices,” as mentioned by the researchers. “Watering holes can still be an effective pathway for n-day exploits targeting a population that might still be running unpatched browsers.”