Project Zero, Google's zero-day bug-hunting team, discovered a group of hackers that used 11 zero-days in attacks targeting Windows, iOS, and Android users within a single year.
The Project Zero team revealed that the hacking group behind these attacks ran two separate campaigns, in February and October 2020.
This month's report showcases the use of seven zero-days after a previous one published in January showed how four zero-days were used together with n-day exploits to hack potential targets.
Just as before, the attackers used a couple of dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.
"In our testing, both of the exploit servers existed on all of the discovered domains," Project Zero team member Maddie Stone said.
"After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers."
Attack flow (Project Zero)
All in all, while analyzing the October 2020 campaign, the Project Zero researchers found:
one full exploit chain targeting fully patched Windows 10 using Google Chrome
two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
"When combined with their earlier 2020 operation, the actor used at least 11 0-days in less than a year," Stone added.
The 11 zero-days ..
Support the originator by clicking the read the rest link below.
