State-backed attackers and commercial surveillance vendors repeatedly use the same exploits
These campaigns, targeting Mongolian government websites, involved the reuse of n-day exploits previously linked to commercial surveillance vendors (CSVs) Intellexa and NSO Group. The attackers, suspected to be Russian government-backed APT29.
Introduction
On August 29, 2024, Google's Threat Analysis Group (TAG) released a comprehensive report detailing several in-the-wild exploit campaigns between November 2023 and July 2024. These campaigns, targeting Mongolian government websites, involved the reuse of n-day exploits previously linked to commercial surveillance vendors (CSVs) Intellexa and NSO Group. The attackers, suspected to be Russian government-backed APT29, leveraged vulnerabilities in iOS and Google Chrome to deliver malicious payloads, highlighting the ongoing risk posed by unpatched devices.
Report Overview
The attacks were first detected through watering hole campaigns, a method where attackers compromise popular websites to deliver malware to visitors. The affected websites, including Mongolian government sites like cabinet.gov.mn and mfa.gov.mn, were altered to load malicious iframes directing users to attacker-controlled domains. These campaigns primarily targeted iOS devices with outdated versions and Android users running specific Chrome versions.
TAG observed that the exploits used in these campaigns were strikingly similar to those previously deployed by Intellexa and NSO Group, two notorious commercial surveillance vendors. This suggests a troubling overlap between state-sponsored actors and commercially driven exploit developers.
The attack on iOS devices began in November 2023, exploiting CVE-2023-41993, a vulnerability in WebKit affecting iOS versions 16.6.1 and older. When users visited the compromised websites on vulnerable devices, the iframe would execute a reconnaissance payload that identified the device and then delivered a WebKit exploit. This exploit enabled the attackers to exfiltrate browser cookies from the device.
In February 2024, a similar attack was launched against iPhone users, with updates targeting additional websites like webmail.mfa.gov.mn. The July 2024 campaign shifted focus to Google Chrome users on Android devices, using an exploit chain involving CVE-2024-5274 and CVE-2024-4671. This attack required an additional sandbox escape vulnerability to bypass Chrome’s Site Isolation and steal credential cookies.
The potential consequences of these campaigns are severe, particularly for government officials and individuals working in sensitive sectors. By stealing authentication cookies, attackers could gain unauthorized access to critical accounts, including email, social media, and financial platforms. The broader implications include the erosion of trust in digital platforms and the heightened risk of espionage and data breaches.
Insights and Analysis
TAG’s findings highlight a significant threat: the proliferation of exploits developed by commercial surveillance vendors into the hands of state-sponsored actors. This trend raises concerns about the lack of control over these powerful tools and the increasing difficulty in defending against them. The reuse of exploits across different campaigns also suggests that attackers are becoming more efficient in their operations, potentially reducing the time needed to launch new attacks.
The continued use of n-day exploits by sophisticated actors like APT29 reinforces the importance of timely software updates and patch management. TAG’s research underscores the need for vigilance in applying security patches and the critical role of strong browser protections like Chrome’s Site Isolation. Users and organizations are urged to stay informed about vulnerabilities and ensure their systems are up-to-date.
To protect against similar threats, it is recommended to:
- Regularly update all software, especially web browsers and operating systems.
- Implement strong security measures, including multi-factor authentication, to protect sensitive accounts.
- Stay informed about the latest security threats and apply patches as soon as they are released.
TAG remains committed to detecting, analyzing, and preventing 0-day exploitation and will continue to share its findings to enhance security across the ecosystem.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| 8bd9a73da704b4d7314164bff71ca76c15742dcc343304def49b1e4543478d1a | Hash | iOS reconnaissance payload (VALIDVICTOR) |
| d19dcbb7ab91f908d70739968b14b26d7f6301069332609c78aafc0053b6a7e1 | Hash | iOS cookie stealer module (COOKIESNATCH) |
| 21682218bde550b2f06ee2bb4f6a39cff29672ebe27acbb3cee5db79bf6d7297 | Hash | Chrome reconnaissance payload |
| df21c2615bc66c369690cf35aa5a681aed1692a5255d872427a2970e2894b2e3 | Hash | Chrome cookie stealer payload (ANDROSNATCH) |
| https://ceo-adviser[.]com/fb-connect.php?online=1 | URL | Malicious URL used in the watering hole attack |
| https://track-adv[.]com/market-analytics.php?pc=1 | URL | Malicious URL used in the watering hole attack |
| https://track-adv[.]com/analytics.php?personalization_id=<random number> | URL | Malicious URL used in the watering hole attack |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Drive-by Compromise | T1189 | Compromise via malicious iframes on legitimate websites |
| Execution | Exploitation for Client Execution | T1203 | Exploiting vulnerabilities in iOS and Chrome to execute code |
| Defense Evasion | Obfuscated Files or Information | T1027 | Use of obfuscated JavaScript to inject malicious iframes |
| Collection | Input Capture | T1056.001 | Capture of authentication cookies from web browsers |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Exfiltration of browser cookies and other sensitive data via C2 channels |
References
Clement Lecigne
Comments ()