Cybersecurity analysts have uncovered a series of exploit campaigns that exploited recently patched vulnerabilities in Apple Safari and Google Chrome to deploy data-stealing malware on mobile devices.
“These campaigns utilized n-day exploits for which patches were available, yet they remained potent against devices that had not been updated,” stated Clement Lecigne, a researcher with Google’s Threat Analysis Group (TAG), in a report provided to The Hacker News.
The operations, spanning from November 2023 to July 2024, are notable for their use of watering hole attacks targeting Mongolian government websites, specifically cabinet.gov[.]mn and mfa.gov[.]mn.
These intrusions have been tentatively linked to a Russian state-supported actor known as APT29 (also referred to as Midnight Blizzard). There are striking similarities between the exploits employed in these campaigns and those associated with commercial surveillance entities (CSVs) such as Intellexa and NSO Group, suggesting the reuse of exploit techniques.
The vulnerabilities central to these campaigns are enumerated below:
- CVE-2023-41993: A WebKit vulnerability that could lead to arbitrary code execution through specially crafted web content (Addressed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)
- CVE-2024-4671: A use-after-free vulnerability within Chrome’s Visuals component that could facilitate arbitrary code execution (Resolved by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024)
- CVE-2024-5274: A type confusion flaw in the V8 JavaScript and WebAssembly engine capable of arbitrary code execution (Mitigated by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024)
The exploit campaigns from November 2023 and February 2024 involved compromising the Mongolian government sites, particularly mfa.gov[.]mn, to deploy an exploit for CVE-2023-41993 through a malicious iframe linking to a domain controlled by the attackers.
“When accessed via an iPhone or iPad, the watering hole sites employed an iframe to deliver a reconnaissance payload that performed validation checks before ultimately loading and deploying a secondary payload containing the WebKit exploit to exfiltrate browser cookies from the device,” Google reported.
The payload utilized is a cookie-stealing framework that Google TAG had previously linked to the exploitation of an iOS zero-day (CVE-2021-1879) in 2021, used to harvest authentication cookies from numerous major websites, including Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud, and send them via WebSocket to an attacker-controlled IP address.
“For cookies to be successfully exfiltrated, the victim needed to have an active session on these websites from Safari,” Google noted, adding that “attackers used LinkedIn messaging to target government officials from Western European countries by sending them malicious links.”
The fact that the cookie stealer also targeted the website “webmail.mfa.gov[.]mn” indicates that Mongolian government employees were likely a target of the iOS campaign.
In July 2024, the mfa.gov[.]mn site was compromised a third time to inject JavaScript code that redirected Android users on Chrome to a malicious link serving an exploit chain combining CVE-2024-5274 and CVE-2024-4671, to deploy a browser information-stealing payload.
Specifically, the attack sequence exploited CVE-2024-5274 to breach the renderer and CVE-2024-4671 to achieve a sandbox escape, effectively bypassing Chrome’s site isolation protections and delivering stealer malware.
“This campaign deploys a straightforward binary that deletes all Chrome crash reports and exfiltrates several Chrome databases back to the track-adv[.]com server—mirroring the basic final payload observed in earlier iOS campaigns,” Google TAG observed.
Moreover, the exploits used in the November 2023 watering hole attack and by Intellexa in September 2023 share the same trigger code, a pattern also seen in the triggers for CVE-2024-5274 used in the July 2024 attack and by NSO Group in May 2024.
Additionally, the exploit for CVE-2024-4671 shows similarities with a prior Chrome sandbox escape exploited by Intellexa in connection with another Chrome vulnerability, CVE-2021-37973, addressed by Google in September 2021.
While the precise method by which the attackers acquired these exploits remains unclear, it is evident that state-sponsored actors are deploying n-day exploits originally used as zero-days by commercial surveillance vendors.
This situation raises the possibility that the exploits may have been acquired from a vulnerability broker who previously sold them to spyware vendors as zero-days, maintaining a steady flow of such vulnerabilities as Apple and Google strengthen their defenses.
“Furthermore, watering hole attacks continue to pose a threat where sophisticated exploits can target regular visitors to specific sites, including on mobile devices,” the researchers stated. “Watering holes remain an effective avenue for n-day exploits by broadly targeting populations that may still be running outdated browsers.”