Cybersecurity experts have recently uncovered a series of sophisticated exploit campaigns that took advantage of previously undiscovered vulnerabilities in Apple Safari and Google Chrome browsers. These vulnerabilities, now patched, were used by attackers to deploy information-stealing malware targeting mobile users.
Between November 2023 and July 2024, these attacks were uniquely executed through a technique known as a watering hole attack. A watering hole attack strategically targets groups of users by infecting websites that are frequently visited within a specific industry or community, ultimately serving malware to gain unauthorized access to their systems.
The perpetrators of these attacks have been tentatively identified as a Russian state-sponsored group, APT29 (also known as Midnight Blizzard). There is a notable overlap between the exploits used in these campaigns and those associated with commercial surveillance vendors, like Intellexa and NSO Group, suggesting the reuse of these sophisticated exploits.
Key Vulnerabilities Exploited:
- CVE-2023-41993: A WebKit vulnerability that allowed arbitrary code execution through specially crafted web content. This flaw was patched by Apple in September 2023.
- CVE-2024-4671: A use-after-free flaw in Chrome’s Visuals component, which could lead to arbitrary code execution. Google addressed this issue in May 2024.
- CVE-2024-5274: A type confusion flaw in Chrome’s V8 JavaScript engine, also leading to arbitrary code execution. This vulnerability was patched in May 2024.
During the campaigns in November 2023 and February 2024, attackers compromised Mongolian government websites, initially infecting both sites and later focusing solely on mfa.gov[.]mn. The attack involved using a malicious iframe to deliver exploits via an actor-controlled domain, aiming to deploy malware on devices visiting these sites.
According to Google, when an iPhone or iPad accessed the compromised sites, a reconnaissance payload was delivered through an iframe, which, after validation checks, deployed a WebKit exploit to steal browser cookies from the device. This exploit is similar to a framework Google detailed in 2021, which was used to harvest authentication cookies from popular sites like Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud.
Attack Tactics and Implications
The attack sequence leveraged CVE-2024-5274 to compromise the browser’s rendering engine and CVE-2024-4671 to escape Chrome’s sandbox protections, enabling the deployment of malware capable of exfiltrating various types of sensitive information.
Further analysis by the tech giant revealed that the same trigger code used in these attacks was also found in exploits used by Intellexa and NSO Group in other campaigns. This suggests a pattern of exploit reuse among commercial spyware vendors and state-sponsored actors.
While the precise methods through which these actors obtained the exploits remain unclear, the findings underscore the ongoing threat posed by nation-state actors utilizing n-day exploits—vulnerabilities that have already been disclosed and patched. This also raises concerns about a possible black market for vulnerabilities, where exploits initially used as zero-days by commercial surveillance vendors could be sold to other malicious actors after being patched.