Hackers used 7 zero-days, compromised websites to infiltrate iOS
In what is being called a highly sophisticated attack, a group of hackers leveraged a total of 11 zero-day vulnerabilities and a host of compromised websites to infect fully patched devices running iOS, Windows and Android.
Detailed in a blog post by Google's Project Zero team, the hacks began in February 2020 and continued for at least eight months, spanning a wide range of techniques, vulnerability types and attack vectors.
As reported by ArsTechnica, the first four zero-days targeted Android and Windows machines running Chrome. The hacking team broadened its scope over the following eight months to include seven vulnerabilities that impacted iOS and Safari. Watering-hole sites were used to distribute different exploits tailored to the visiting device and web browser.
Beyond discovering and exploiting the zero-days, the hacking group was able to quickly deploy new attacks after security patches were applied. This flexibility illustrates not only a deep well of available vulnerabilities, but also the hackers' skill level, the report says.
"Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero," wrote Project Zero researcher Maddie Stone. "The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out."
Project Zero detected the following zero-days in October: Chrome Freetype heap buffer overflow, Windows heap buffer overflow in cng.sys, Chrome type confusion in TurboFan map deprecation, Chrome for Android heap buffer overflow, Safari arbitrary stack read/write via Type 1 fonts, iOS XNU kernel memory disclosure in mach message trailers, and iOS kernel type confusion with turnstiles.
As noted by ArsTechnica, the chain of exploits was required to break through layers of defenses built into modern operating systems.
Apple regularly issues updates to patch security holes in iOS, the latest of which arrived with iOS 14.4.1 on March 8.
Detailed in a blog post by Google's Project Zero team, the hacks began in February 2020 and continued for at least eight months, spanning a wide range of techniques, vulnerability types and attack vectors.
As reported by ArsTechnica, the first four zero-days targeted Android and Windows machines running Chrome. The hacking team broadened its scope over the following eight months to include seven vulnerabilities that impacted iOS and Safari. Watering-hole sites were used to distribute different exploits tailored to the visiting device and web browser.
Beyond discovering and exploiting the zero-days, the hacking group was able to quickly deploy new attacks after security patches were applied. This flexibility illustrates not only a deep well of available vulnerabilities, but also the hackers' skill level, the report says.
"Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero," wrote Project Zero researcher Maddie Stone. "The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out."
Project Zero detected the following zero-days in October: Chrome Freetype heap buffer overflow, Windows heap buffer overflow in cng.sys, Chrome type confusion in TurboFan map deprecation, Chrome for Android heap buffer overflow, Safari arbitrary stack read/write via Type 1 fonts, iOS XNU kernel memory disclosure in mach message trailers, and iOS kernel type confusion with turnstiles.
As noted by ArsTechnica, the chain of exploits was required to break through layers of defenses built into modern operating systems.
Apple regularly issues updates to patch security holes in iOS, the latest of which arrived with iOS 14.4.1 on March 8.
Comments
Patched? Yes, but then the hackers deploy a different attack vector.
Who? "Thursday’s post offered no details on the group responsible for the attacks. It would be especially interesting to know if the hackers are part of a group that’s already known to researchers or if it’s a previously unseen team. Also useful would be information about the people who were targeted."