APT29 [1] [2] [3] [4], also known as Midnight Blizzard [4], conducted exploit campaigns targeting Apple Safari and Google Chrome browsers between November 2023 and July 2024 [4].

Description

These campaigns originated from watering hole attacks on Mongolian government websites and targeted government officials and employees. The attackers utilized n-day exploits such as CVE-2023-41993, CVE-2024-4671 [1] [4], and CVE-2024-5274 to achieve arbitrary code execution and steal information. Commercial surveillance vendors Intellexa and NSO Group were attributed to reusing these exploits. In July 2024 [2] [3] [4], an attack on the mfa.gov[. [3]]mn website targeted Android users with a Chrome exploit chain, compromising the renderer and achieving a sandbox escape vulnerability [3]. The attackers exfiltrated Chrome databases to a server [3], similar to previous iOS campaigns [3]. The exploits used in these attacks shared trigger codes with previous campaigns [3], suggesting a possible supply chain from vulnerability brokers to spyware vendors [3]. Despite patches being available [2], the campaigns were still effective against unpatched devices [2], highlighting the ongoing threat posed by watering hole attacks on mobile browsers.

Conclusion

These attacks underscore the importance of timely patching and vigilance against sophisticated cyber threats. Organizations and individuals must remain proactive in securing their systems and devices to mitigate the risks posed by such exploits. The reuse of exploits by surveillance vendors [2] [3] [4] raises concerns about the potential misuse of vulnerabilities for surveillance purposes. Continued collaboration between security researchers, vendors, and government agencies is crucial to address these evolving threats and safeguard against future attacks.

References

[1] https://www.helpnetsecurity.com/2024/08/29/n-day-exploits-government-websites/
[2] https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/
[3] https://thehackernews.com/2024/08/russian-hackers-exploit-safari-and.html
[4] https://vulners.com/thn/THN:B6ED68F0A6E5CDF2D0F9D3A61071E933