On Wednesday, threat intelligence researchers from Google provided an update on four active zero-day vulnerabilities affecting Chrome, Safari, and Internet Explorer, all of which have been exploited by threat actors in various campaigns this year. This report highlights a concerning trend where three of the vulnerabilities were developed by commercial providers and subsequently sold to government-affiliated entities, resulting in an increase in real-world cyberattacks.
The vulnerabilities addressed include a Use-After-Free issue in Apple’s QuickTimePluginReplacement, a Chrome Object Lifecycle problem in the audio processing module, a Chrome Type Confusion flaw within the V8 JavaScript engine, and an out-of-bounds write vulnerability in Internet Explorer’s MSHTML. These vulnerabilities have been patched, but not before they were leveraged in targeted attacks.
Interestingly, both Chrome-related vulnerabilities—CVE-2021-21166 and CVE-2021-30551—are thought to have been exploited by the same actor, who distributed malicious links via email to targets in Armenia. These links redirected users to attacker-controlled domains disguised as legitimate sites, enabling further exploitation.
The malicious domains collected device fingerprints and harvested system information before executing further payloads. Shane Huntley, Director of Google’s Threat Analysis Group, indicated that these Chrome vulnerabilities were exploited in tandem with CVE-2021-33742, a critical vulnerability in Windows, which Microsoft addressed in a Patch Tuesday update early June.
The two Chrome vulnerabilities were reportedly supplied to a nation-state actor by a commercial exploit broker, who utilized them for limited attacks aimed at targets in Eastern Europe and the Middle East. While Google opted not to reveal the names of the exploit broker or the affiliated threat actors, the implications remain significant.
In a separate incident, the Safari zero-day vulnerability focused on a WebKit flaw that enabled attackers to inject malicious web content, resulting in potential cross-site scripting attacks. Apple remedied this flaw on March 26, 2021. Google attributes attacks exploiting CVE-2021-1879 to a likely Russian state-sponsored actor targeting government officials through LinkedIn. The attackers sent links that, when clicked from an iOS device, redirected users to a rogue domain that deployed further payloads.
This tactic mirrors a broader wave of targeted cyber-operations linked to the Russian hacking group Nobelium, which has been implicated in several high-profile attacks, including the notorious SolarWinds supply chain breach. As reported by Google’s Threat Analysis Group, there has been a marked increase in zero-day exploit disclosures this year, with 33 incidents reported, an increase from 2020’s total.
In summary, the findings underscore the evolving landscape of cyber threats and the potential tactics employed by adversaries, including initial access through phishing and exploiting published vulnerabilities. Understanding these risks is crucial for business owners to proactively safeguard their systems against increasingly sophisticated cyber threats.
