Suspected Russian hackers have recently been targeting iPhone and Android users who visit government websites with exploits that were originally used by commercial surveillance vendors, according to researchers from Google TAG.
The attacks, known as watering hole campaigns, took place between November 2023 and July 2024. During this time, threat actors compromised the websites of the Mongolian Cabinet Secretariat (cabinet.gov.mn) and the country’s Ministry of Foreign Affairs (mfa.gov.mn). These compromised websites were used to serve iframes or JavaScript that delivered exploits or exploit chains to unsuspecting visitors.
The threat actors utilized Intellexa’s CVE-2023-41993 exploit targeting iPhone users who were running versions 16.6.1 or older. They also used a modified version of the NSO Group’s CVE-2024-5274 exploit, combined with a sandbox escape for CVE-2024-4671, which closely resembled Intellexa’s CVE-2021-37973 exploit.
The campaigns targeted both iPhone and Android users, delivering n-day exploits that were still effective against unpatched devices. The WebKit exploit specifically targeted users running iOS versions 16.6.1 or older, while users with lockdown mode enabled were not affected even if they were using a vulnerable iOS version. Vulnerable iPhone and iPad users who visited the compromised websites were exposed to a cookie stealer framework, which had previously been observed in a suspected APT29 campaign in 2021. Similarly, Android users using certain versions of Google Chrome were hit with a cookie-stealing payload.
The researchers emphasized that the attackers’ methods were successful in targeting a large population with n-day exploits, even though the patches for these vulnerabilities were already available. By using watering holes, the attackers were able to identify users whose devices or browsers were vulnerable and deliver the malicious payload accordingly.
While the researchers were unable to determine how the attackers obtained these exploits, they highlighted the effectiveness of this approach for mass targeting. Users who were not vulnerable to the exploits were identified through an initial reconnaissance payload and were spared from the malicious attacks.
Overall, these targeted watering hole campaigns serve as a reminder of the ongoing threat posed by state-backed attackers and commercial surveillance vendors. It is essential for users to stay vigilant and ensure they are using the latest software updates to protect themselves from potential exploits and cyberattacks.