Google’s Threat Analysis Group (TAG) has exposed a new campaign by Russian state-backed APT29, also known as Cozy Bear or Midnight Blizzard, utilizing advanced spyware techniques similar to those of NSO Group and Intellexa.
Google’s Threat Analysis Group (TAG) has revealed evidence that Russian government-backed APT29 hackers (aka Cozy Bear or Midnight Blizzard) are using exploits strikingly similar to those developed by commercial spyware companies Intellexa and NSO Group in attacks targeting Mongolian government websites.
The multiple watering hole attacks, which occurred between November 2023 and July 2024, involved compromising the cabinet.govmn and mfa.govmn websites to deliver malicious payloads hidden within iframes to unsuspecting visitors. These iframes redirected unsuspecting visitors to attacker-controlled websites, where the exploits were deployed. to steal user data, including cookies, from iOS and Android devices.
The most alarming finding is the similarity between the exploits used by APT29 and those previously used by Intellexa and NSO Group. This suggests that APT29 may have acquired these exploits from the commercial spyware market.
For your information, NSO Group is an Israeli technology company known for developing spyware, including the controversial Pegasus spyware, which is used to monitor and extract data from smartphones.
On the other hand, Intellexa is a surveillance technology company reportedly based in Greece that provides cyber intelligence and spyware solutions, including the infamous Predator spyware for iOS devices. These solutions are often marketed to governments and law enforcement agencies for monitoring and data extraction from digital devices.
“While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors.“ “Although the trend in the mobile space is towards complex full exploit chains, the iOS campaign is a good reminder of the fact that a single vulnerability can inflict harm and be successful.“
Google TAG
Exploiting Known Vulnerabilities:
While the underlying vulnerabilities targeted in these attacks had already been patched, the attackers exploited them in a way that affected unpatched devices. Here’s how the attackers targeted iOS and Android devices:
iOS Attacks:
The first phase of the attack involved delivering an iOS WebKit exploit affecting iPhones running versions older than 16.6.1. This exploit, identical to one previously used by Intellexa, allowed the attackers to steal browser cookies from targeted devices.
In the iOS attacks, APT29 exploited a vulnerability (CVE-2023-41993). The exploit delivered a cookie stealer payload capable of stealing authentication cookies from various websites, including Gmail, LinkedIn, and Facebook.
Android Attacks:
In a later phase, as detailed by Google TAG in a blog post, the attackers shifted their focus to Android users, exploiting a chain of vulnerabilities in Google Chrome to steal sensitive data like login credentials, including cookies, passwords, browsing history, and saved credit cards.
The Android attacks targeted Chrome users running versions m121 to m123. The attackers chained two previously unknown vulnerabilities (CVE-2024-5274 and CVE-2024-4671) to escape Chrome’s sandbox.
The Android attacks targeted Chrome users running versions m121 to m123. The attackers used a previously unknown vulnerability (CVE-2024-4671) and a known vulnerability (CVE-2024-5274) previously used by NSO Group.
Google’s Response:
Google has taken several steps to mitigate the threat: it has added the identified websites and domains to its Safe Browsing service, notified the Apple and Google Chrome teams about the vulnerabilities, and informed the Mongolian CERT to help remediate the compromised websites.
RELATED TOPICS
- Google reveals spyware attack on Android, iOS, and Chrome
- QuaDream, Israeli iPhone hacking spyware firm, to shut down
- Android Version of Sophisticated Pegasus Spyware Discovered
- Hackers Sell Fake Pegasus Spyware on Clearnet and Dark Web
- Scylla Ad Fraud on iOS, Android Users Halted by Apple and Google
