11 Zero-Day Flaws Exploited in 2020 Campaigns, Google Reports
An unknown threat actor has employed at least 11 zero-day vulnerabilities as part of a 2020 operation that targeted Android, iOS, and Windows users.
Project Zero, Google’s zero-day bug-hunting team, has published a blog article detailing the exploit chains discovered last October and warned that the latest discovery is tied to a February 2020 campaign that included the use of multiple zero-days.
While the 2020 attacks only affected Android and Windows devices, the recent incidents also involved iOS exploitation. The threat actor was believed to be an expert in compromising Windows and Apple devices, like in the case of Google Chrome and Safari, which were exploited by a remote attacker.
The zero-day flaws exploited in the February 2020 campaign were as follows:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan;
- CVE-2020-0938 – Font Vulnerability on Windows;
- CVE-2020-1020 – Font Vulnerability on Windows;
- CVE-2020-1027 – Windows CSRSS Vulnerability.
Below you can find a list of the seven zero-days exploited by the threat actor in October 2020:
- CVE-2020-15999 – Chrome Freetype heap buffer overflow;
- CVE-2020-17087 – Windows heap buffer overflow in cng.sys;
- CVE-2020-16009 – Chrome type confusion in TurboFan map deprecation;
- CVE-2020-16010 – Chrome for Android heap buffer overflow;
- CVE-2020-27930 – Safari arbitrary stack read/write via Type 1 fonts;
- CVE-2020-27950 – iOS XNU kernel memory disclosure in mach message trailers;
- CVE-2020-27932 – iOS kernel type confusion with turnstiles.
According to researcher Maddie Stone, the actor from the February 2020 campaign disappeared for a few months only to return in October with dozens of websites redirecting to an exploit server. After running a few tests, the team discovered links to a second exploit server on the same website. It was later discovered that both exploit servers existed on all of the discovered domains.
Initially, the first exploit server only responded to iOS and Microsoft Windows users and remained active for another week after Project Zero started retrieving the hacking tools. The server included exploits for a remote code execution bug in the Google Chrome rendering engine and a v8 zero-day after the initial bug was patched.
The second exploit server responded to Android users and remained active for at least 36 hours. This server consisted of malware cocktails exploiting zero-days in the Chrome and Samsung browsers on Android devices.
Exploit server #1:
- Initially responded to only iOS and Windows user-agents
- Remained up and active for over a week from when we first started pulling exploits
- Replaced the Chrome renderer RCE with a new v8 0-day (CVE-2020-16009) after the initial one (CVE-2020-15999) was patched
- Briefly responded to Android user-agents after exploit server #2 went down (though we were only able to get the new Chrome renderer RCE)
Exploit server #2:
- Responded to Android user-agents
- Remained up and active for ~36 hours from when we first started pulling exploits
- In our experience, responded to a much smaller block of IP addresses than exploit server #1
Heimdal® Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;