Google says hackers used 0-day vulnerabilities and attacked targets in Armenia

Google specialists published technical details about four 0-day vulnerabilities that some hackers used and attacked targets in Armenia this year. Bugs were used to attack users of Chrome, Internet Explorer and Safari browsers for iOS.

The specialists’ report deals with the following vulnerabilities:

• CVE-2021-21166 and CVE-2021-30551 in Chrome;
• CVE-2021-33742 in Internet Explorer;
• CVE-2021-1879 on WebKit (Safari).

According to Google, the three 0-day vulnerabilities in Chrome and IE were “created by the same commercial surveillance company” (an unnamed vulnerability broker), which then sold them to two unnamed government-supported groups.

Without disclosing any names or titles, experts say that three of the four vulnerabilities were used in attacks aimed at targets in Armenia.

For example, exploits for vulnerabilities CVE-2021-21166 and CVE-2021-30551 in Chrome were distributed using one-time links that were sent by mail to future victims. Such links led to sites that mimic various legitimate resources.

The team of experts also stated that the problem CVE-2021-21166 also affected the Safari browser engine (WebKit), due to some common code base. The researchers passed the collected information to Apple, which promptly fixed the problem, assigning it the identifier CVE-2021-1844.

Regarding the 0-day vulnerability in IE (CVE-2021-33742), which Microsoft fixed in June, Google writes that this bug was also used against certain targets in Armenia. The issue was exploited through emails containing malicious Office documents. They loaded web content inside Office through the Internet Explorer plug-in.

As in the case of Chrome, the attack involved fingerprinting and victim verification before attackers moved on to inject a second stage payload.

The similarity of these two malicious campaigns led Google to speculate that the exploits were most likely created by the same exploit broker.

The report also states that attacks were identified using the CVE-2021-1879 vulnerability, which posed a threat to WebKit for iOS. Google attributes these attacks to “a potential attacker supported by the Russian government.”

The attacks were carried out via LinkedIn Messenger, a LinkedIn feature that allows users to exchange messages. Attackers used LinkedIn to send messages with malicious links to various government officials in Western Europe. If the victim opened such a link through the Safari browser on iOS, the exploit would disable Same-Origin-Policy protection in order to “steal the authentication cookies of several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo, and then send them via WebSocket to An IP address controlled by intruders. ”

This exploit posed a threat to iOS versions 12.4 to 13.7, and Google reports that the exploitation of the same vulnerability was seen in other malicious campaigns documented by Microsoft and Volexity specialists this spring. Then experts attributed these attacks to the Russian-speaking hack group Nobelium (aka APT29 and Cozy Bear).

Let me remind you that we also talked about how Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia.