It’s not every day that Google researchers warn us about cyber-attacks that involve undetected vulnerabilities or, in cyber jargon, zero-day exploits. Recently, a sophisticated threat actor managed to exploit vulnerabilities in Chrome and Windows in order to install malware on devices that run Android and Windows operating systems.
These vulnerabilities were not known to Google at the time. The hackers delivered the exploits through a strategy called a watering hole attack, which takes advantage of compromised sites that are visited by frequent users to lace the site with malicious code. The code then installs malware to the user’s device.
The four zero-day exploits
- CVE-2020-6418 Chrome vulnerability in Turbofan
- CVE-2020-0938 Font vulnerability on Windows
- CVE-2020-1020 Font vulnerability on Windows
- CVE-2020-1027 Windows CSRSS vulnerability
The above vulnerabilities have now been fixed and patched.
The attackers were able to obtain remote code execution by exploiting the Chrome zero-day. They have not yet exploited the Android zero-day. The Project Zero research team has published six installments that outline the details of the exploits and post-exploits payloads, with the intention that those installments will help the security community to combat complex malware operations.
For more information on system security, contact Agilient’s cybersecurity and consulting experts.