So, what do we have here? We have multiple zero-day flaws. A months-long attack campaign. And a group of exceptionally sophisticated hackers.
The scoop
A threat actor group exploited 11 zero-day vulnerabilities in a campaign that lasted for nine sweet months. This attack leveraged compromised websites to infect fully patched devices running iOS, Android, and Windows.
A bit of backstory
In February 2020, a watering hole attack was discovered by Google TAG and Project Zero, which was conducted by a highly advanced threat actor. Four zero-day flaws (CVE-2020-6418, CVE-2020-0938, CVE-2020-1027, and CVE-2020-1027) were being delivered in various exploit chains in Windows, Android, and Chrome.
In October 2020, the same threat actor made a comeback and abused seven zero-days (CVE-2020-15999, CVE-2020-17087, CVE-2020-16009, CVE-2020-16010, CVE-2020-27930, CVE-2020-27950, flaws months campaign targeting windows android devices
