Hackers have been exploiting vulnerabilities in iOS and Google Chrome to target government websites, particularly in Mongolia.
Google’s Threat Analysis Group (TAG) observed these attacks, which have been linked to the Russian government-backed actor APT29.
The hackers have repeatedly used the same exploits, initially developed by commercial surveillance vendors, to breach security defenses.
This article delves into the details of these cyber campaigns, the vulnerabilities exploited, and the implications for global cybersecurity.
The Watering Hole Attacks
The cyberattacks were executed through a method known as “watering hole attacks,” where legitimate websites are compromised to deliver malicious payloads to unsuspecting visitors.
In this case, the Mongolian government websites cabinet.gov[.]mn and mfa.gov[.]mn were targeted.
The attackers embedded hidden iframes that redirected visitors to attacker-controlled websites, delivering exploits to iOS and Android users.
During this period, the attackers used an iOS WebKit exploit, CVE-2023-41993, to target devices running iOS versions older than 16.6.1.
The exploit was delivered via compromised government websites, affecting users who had not updated their devices.
The payload included a cookie stealer framework, previously observed in a 2021 campaign by APT29, which exfiltrated authentication cookies from prominent websites like LinkedIn and Gmail.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
July 2024: Chrome Exploits
In July 2024, the attackers shifted focus to Android users by exploiting vulnerabilities in Google Chrome.
The Chrome exploit chain targeted CVE-2024-5274 and CVE-2024-4671, allowing attackers to deploy an information-stealing payload.
This campaign required an additional sandbox escape vulnerability to bypass Chrome’s site isolation protections, demonstrating the attackers’ technical sophistication.
Exploit Reuse and Attribution
Repeated use of the same exploits highlights a concerning trend in cyber warfare. The vulnerabilities exploited in these campaigns were initially discovered and used as zero-days by commercial surveillance vendors like Intellexa and NSO Group.
The attackers adapted these exploits for their purposes, raising questions about how these sophisticated tools ended up in the hands of APT actors.
Google’s TAG has assessed with moderate confidence that these campaigns are linked to APT29, a group known for its advanced cyber capabilities and ties to the Russian government.
The similarities between the exploits used by APT29 and those developed by commercial vendors suggest a potential leak or sale of these tools.
The persistence and sophistication of these attacks underscore the ongoing threat posed by state-sponsored cyber actors.
Watering hole attacks remain potent for delivering sophisticated exploits, particularly against users who have not applied the latest security patches.
The campaigns also highlight the risks associated with the proliferation of commercial surveillance tools, which malicious actors can repurpose.
Recommendations for Users and Organizations
To mitigate the risk of such attacks, users and organizations are urged to:
- Keep Software Updated: Regularly update operating systems and applications to the latest versions to protect against known vulnerabilities.
- Enable Security Features: Use built-in security features like Apple’s Lockdown Mode and Google’s Site Isolation to enhance protection against exploits.
- Monitor Network Traffic: Implement network monitoring solutions to detect and respond to suspicious activities promptly.
- Educate Employees: Conduct regular training sessions to raise awareness about phishing and other common attack vectors.
Repeatedly using the same exploits in these campaigns highlights the need for vigilance and proactive security measures.
While the exact means by which APT29 acquired these exploits remain unclear, the incidents are a stark reminder of the evolving cyber threat landscape.
Google’s TAG continues to work on detecting, analyzing, and preventing such exploits, sharing its findings to enhance security across the ecosystem.
As cyber threats become increasingly sophisticated, collaboration and information sharing among cybersecurity professionals and organizations are more crucial than ever.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial