A team of hackers had been using 11 unknown zero-day exploits to attack iOS, Android, and Windows users through infected websites, as per a new report by a Google researcher. The hackers combined multiple exploits to pull off extremely advanced levels of attacks, and they are not done yet.
Hackers were able to perform kernel exploits using Safari on iOS 11 – iOS 13
Google’s Project Zero and Threat Analysis Group researchers have said that the attacks were highly sophisticated, and the usage of these 11 exploits spanned over 8 months. These zero-day exploits were planted across various websites that affected Windows and Android devices in the beginning but also spread to iOS devices with the later exploits.
Maddie Stone, a researcher at Google’s Project Zero team, wrote that the exploits ranged from JIT vulnerabilities to bugs in font cache.
The vulnerabilities cover a fairly broad spectrum of issues—from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out.
These exploits impacted Chrome on Windows 10, Chrome and Samsung browsers on Android 10, and Safari on iOS 11 – iOS 13 versions. On iOS, the attacks ranged from font corruption to kernel exploits which could give hackers escalated access privileges. There is a possibility that these attacks also affected other devices and operating systems, however, the exploit servers were no longer online, writes Stone.
No group has accepted responsibility for the exploits yet, and it is difficult to understand their motive behind these attacks. So far, the best that users can do is to make sure that they install the latest security patches for the browsers and operating systems, and stay clear of malicious websites, no matter how secure their device is.