A team of advanced hackers exploited no fewer than 11 zeroday vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.
Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zerodays in February 2020. The hackers’ ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google’s Project Zero and Threat Analysis Group to call the group “highly sophisticated.”
Not over yet
On Thursday, Project Zero researcher Maddie Stone said that, in the eight months that followed the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided in iOS. As was the case in February, the hackers delivered the exploits through watering-hole attacks, which compromise websites frequented by targets of interest and add code that installs malware on visitors’ devices.