Hackers have been actively exploiting vulnerabilities in iOS and Google Chrome to target government websites, particularly in Mongolia. Google’s Threat Analysis Group (TAG) has been monitoring these attacks, attributing them to the Russian government-backed actor APT29. The attackers have been leveraging existing exploits developed by commercial surveillance vendors to breach security defenses repeatedly.

In-depth analysis of these cyber campaigns reveals the modus operandi, the vulnerabilities exploited, and the broader implications for global cybersecurity. The attacks were carried out using a method known as “watering hole attacks,” where legitimate websites are compromised to deliver malicious payloads to unsuspecting visitors. In this instance, the Mongolian government websites cabinet.gov.mn and mfa.gov.mn were the primary targets.

The hackers inserted hidden iframes into these compromised websites, redirecting visitors to attacker-controlled sites and delivering exploits to iOS and Android users. During this period, an iOS WebKit exploit with the identifier CVE-2023-41993 was utilized to target devices running older versions of iOS. This exploit was distributed through compromised government websites, impacting users who had not updated their devices. The malicious payload included a cookie stealer framework previously observed in a 2021 campaign by APT29, enabling the extraction of authentication cookies from prominent websites such as LinkedIn and Gmail.

In July 2024, the attackers shifted focus to Android users and exploited vulnerabilities in Google Chrome. The exploit chain targeted CVE-2024-5274 and CVE-2024-4671, allowing the deployment of an information-stealing payload. This campaign required an additional sandbox escape vulnerability to bypass Chrome’s site isolation protections, showcasing the technical prowess of the attackers.

The recurring use of the same exploits underscores a troubling trend in cyber warfare. The vulnerabilities exploited were initially identified and utilized as zero-days by commercial surveillance vendors like Intellexa and NSO Group. The adaptation of these exploits by threat actors raises questions about the origin and distribution of such sophisticated tools.

Google’s TAG has linked these campaigns to APT29 with moderate confidence, highlighting the group’s advanced capabilities and ties to the Russian government. The resemblance between the exploits used by APT29 and those developed by commercial vendors indicates a potential leak or sale of these tools. These attacks serve as a stark reminder of the persistent threat posed by state-sponsored cyber actors.

To counter such threats, users and organizations are advised to keep their software updated, enable security features, monitor network traffic, and educate employees on common attack vectors. The collaboration and information sharing among cybersecurity professionals and organizations are crucial in combating the evolving cyber threat landscape.

As cyber threats continue to grow in sophistication, proactivity and vigilance in implementing robust security measures are imperative. Google’s TAG remains committed to detecting, analyzing, and preventing such exploits, contributing to the overall enhancement of cybersecurity measures. In an era where collaboration is key, sharing insights and findings across the cybersecurity community is more vital than ever.

Source link