Multiple Exploit Campaigns Target Apple Safari and Google Chrome Users
Recent analysis by cybersecurity experts has revealed that nation-state actors have leveraged previously patched vulnerabilities in Apple Safari and Google Chrome to distribute information-stealing malware to mobile users. The campaigns, which took place between November 2023 and July 2024, specifically employed exploits against devices that had not yet applied the necessary software updates, underscoring the ongoing risk posed by unpatched systems.
Clement Lecigne, a researcher from Google’s Threat Analysis Group (TAG), reported these activities in a statement provided to The Hacker News. The malicious efforts utilized a technique known as a watering hole attack, notably compromising Mongolian government websites, including cabinet.gov.mn and mfa.gov.mn. This approach involves infecting sites frequented by specific user groups, thereby serving malware to unsuspecting visitors and gaining unauthorized access to their systems.
The intrusion has been attributed with moderate confidence to APT29, a Russian state-sponsored threat actor often referred to as Midnight Blizzard. This group’s use of exploits closely mirrors those encountered in commercial surveillance vendor attacks, including tactics employed by Intellexa and NSO Group, hinting at a troubling pattern of exploit reuse among various adversaries.
The vulnerabilities exploited during these campaigns include CVE-2023-41993, a WebKit flaw allowing arbitrary code execution and patched by Apple in September 2023, as well as two significant Chrome flaws—CVE-2024-4671 and CVE-2024-5274. The latter vulnerabilities, detected in the Chrome browser, were addressed in May 2024. The attacks on Mongolian government sites were executed by injecting a malicious iframe that utilized the WebKit exploit to exfiltrate browser cookies, which are critical for session authentication on numerous platforms.
Upon accessing these compromised sites via iPhone or iPad, users unknowingly triggered an initial payload that performed checks before deploying a second payload to capture sensitive data. This cookie-stealer framework, previously discussed by Google’s TAG in relation to a 2021 iOS zero-day exploit, was designed to harvest cookies from websites including Google, Microsoft, and Apple iCloud. The focus on the Mongolian government’s webmail site indicates that government personnel were likely primary targets.
Moreover, Google reported a third infection of mfa.gov.mn in July 2024, which involved Javascript code that guided Android users running Chrome to a malicious link that leveraged the same vulnerabilities to deploy an information-stealing payload. The sequence of attacks signifies a sophisticated method of breach where attackers gain access to user databases, harvesting cookies, passwords, and other sensitive information by bypassing Chrome’s built-in security features.
Experts indicate that the use of exploits in this manner aligns with several tactics and techniques detailed in the MITRE ATT&CK framework. Techniques such as initial access through compromised websites, payload delivery via malicious links, and exfiltration of user data can be directly related to the activities observed. As attacks like these persist, both Apple and Google continually release patches to fortify their applications, yet the ongoing exploitation of n-day vulnerabilities served by legacy zero-days from surveillance vendors remains a crucial vulnerability for many users.
The findings suggest the possibility that the acquired exploits may have been obtained from vulnerability brokers, which supply such tools to both nation-state actors and commercial surveillance entities, perpetuating a cycle that keeps such exploits in circulation. Researchers emphasize that watering hole attacks, which exclusively target users of specific websites, remain a significant threat in a world where effective patches are regularly overlooked by end users. As businesses increasingly operate online and rely heavily on browser-based applications, they must prioritize the swift implementation of security updates to mitigate the risks posed by these advanced persistent threats.
