Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks.

Credentials, phishing, exploiting vulnerabilities, and botnets "pervade all areas of the DBIR, and no organization is safe without a plan to handle them all," Verizon's team of researchers wrote in this year's "Data Breach Investigations Report."

Attackers don't have to bother with zero-day vulnerabilities or build out elaborate attack tools when they can just steal credentials and log right in. Whether the report is looking at Web application attacks, email scams such as business email compromise, or malware, the theme was consistent: Stolen credentials played a role. 

DBIR is chock-full of charts and visualizations, so it is difficult to pick just one -- though the chart about what types of data attackers are stealing is a particularly striking. For a long time, criminals were interested in personal data -- data that could be used for identity theft or other types of financial fraud. While that is still the case, that is not the complete story. Attackers are focusing heavily on obtaining stolen credentials, since those credentials make carrying out other attacks even easier and harder to detect. The report considers 180 different actions that lead to data breaches, and the use of stolen credentials is the most common.

"We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system," the report says.

Consider how ransomware gets onto the targeted system: 40% of ransomware incidents involve the use of desktop sharing software, such as remote desktop protocol. And the easiest way to access RDP is via weak passwords.

While third-party breaches represent just 1% of breaches in the 2022 dataset, about half of them involved the use of stolen credentials. 

Phishing and stolen credentials were the top two actions in data breaches involving social engineering attacks. The third is "pretexting," almost all of which are business email compromises. A quarter of BECs used stolen credentials against the victim organization, according to the report.

And finally, in the area of web application attacks, the vast majority of incidents use stolen credentials as their entry point. Over 80% of the breaches that was categorized under web application attacks in this year's DBIR can be attributed to stolen credentials. In comparison, the second most common action, exploiting vulnerabilities, is less than 20%.

"There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years," the report says.

"Even if passwordless authentication isn't ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication," says Rick Holland, CISO and vice-president of strategy at Digital Shadows.

DBIR Makes a Case for Passwordless

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

An analysis from Google TAG shows that Android zero-day exploits were packaged and sold for state-backed surveillance.

At least eight governments around the world have purchased a package of Android zero-day exploits from a company called Cytrox and are using them to install spyware on targets' mobile phones. The development highlights the sophistication of off-the-shelf surveillance offerings, according to a recent report. 

Google's Threat Analysis Group (TAG) said that by taking advantage of the time difference that keep some systems from being updated for hours after patches were released, the Cytrox exploits allowed governments to target Android users with malware to record audio, add CA certificates, and hide apps, Google's TAG said.

The report explained that the governments of Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain are confirmed to have used the Cytrox exploits in at least three state-backed campaigns, adding there are likely others. 

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," the TAG report said, adding that the group is currently tracking more than 30 additional surveillance vendors with the capability of selling tools to state-backed actors. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Multiple Governments Buying Android Zero-Days for Spying: Google

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

  

Pwn2Own Vancouver closed its doors on Friday (May 20), with more than $1 million being awarded to celebrate 15 years of the annual hacking event.

Held by Trend Micro’s Zero Day Initiative (ZDI), the contest saw hackers from across the world compete both in person and virtually to find bugs in products from a wide range of vendors, including Microsoft, Mozilla, and Apple’s Safari browser.

Participants were offered the opportunity to earn both money and points, which would go towards being crowned ‘Master of Pwn’.

A team from Star Labs in Singapore, who were taking part virtually, were crowned this year’s champions with a total of 27 points.

Read more of the latest hacking news

Overall, prize payouts amounting to $1.2 million were awarded for the 27 vulnerabilities that were discovered during the event, which was celebrating its 15th year.

Sponsors including Tesla and VMWare also provided targets for the competition, with David Berard and Vincent Dehors from Synacktiv discovering two unique bugs leading to a sandbox escape on the Telsa Model 3 Infotainment System.

“The Synacktiv team was able to remotely take over the infotainment system, and they showed how they could stand outside the car and turn on the wipers, open the trunk, and flash the lights,” Dustin Childs, senior communications manager at Trend Micro’s ZDI, told The Daily Swig.

He added: “The attempt that failed still demonstrated some interesting research, and we were pleased to acquire through a standard program submission.”

DON’T MISS Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms

Other notable discoveries include the zero-click exploit of two bugs, injection and arbitrary file write, on Microsoft Teams found by Daniel Lim Wee Soong, Poh Jia Hao, Li Jiantao, and Ngo Wei Lin of Star Labs, which earned the team $150,000, and an improper configuration against Microsoft Teams found by Hector “p3rr0” Peralta, also worth $150,000.

Childs said: “We’ve had an exciting event with more than $1,000,000 awarded to the contestants. With so many attempts in the category, we expected several bug collisions, but that hasn’t been the case. Almost everything demonstrated was unique and qualified for the maximum payout.

“It was interesting the see the variety of Microsoft Teams exploits demonstrated. We had three successful entries, and they were all different.

“The most interested – and most dangerous – was a zero-click entry that could be used to take over an entire organization. That’s one of the reasons we have this contest – to see the latest in exploit techniques and help get the patched before they are exploited in the wild.

“It’s been great to see the evolution of the program over the years. We’ve gone from a small, browser-focused event to awarded more than $1,000,000 two years in a row. We celebrated or 15th anniversary this year and can’t wait to see where the contest grows from here.”

Read about all of the entries and subsequent payouts via a blog post from ZDI.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Pwn2Own Vancouver: 15th annual hacking event pays out $1.2m for high-impact security bugs

By Deeba Ahmed
Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and…
This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices

Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and Chrome.

On Thursday, May 19th, Google’s Threat Analysis Group (TAG) reported that spyware developer/vendor Cytrox had developed exploits against five zero-day vulnerabilities to target Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

**0-days used with n-days to Deploy Spyware**

The exploits are developed for four Chrome 0-days and one Android 0-day flaw. In their blog post, TAG researchers Clement Lecigne and Christian Resell explained that the 0-days are used in conjunction with n-day exploits.

Moreover, the attackers are trying to benefit from the time difference between the patching of some critical bugs, which weren’t declared severe security issues, and “when these patches were fully deployed across the Android ecosystem.”

**Spyware Details**

According to Google, the North Macedonian-based commercial surveillance firm Cytrox has packaged and sold the exploits to different state-backed threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.

It is alleged that the buyers have used these bugs in at least three campaigns so far. The Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat actors to penetrate Android and iOS devices.

**About the Three Campaigns using Predator**

TAG examined three campaigns and concluded that attackers send one-time URLs to Android users through spear-phishing emails. These links are shortened using a common use URL shortener while the attackers target only a handful of victims. When users click on this malicious URL, they are redirected to a malicious webpage that automatically deploys the exploits and redirects them to a legitimate website.

Once there, the attackers deploy Alien Android malware that loads Cytrox’s Predator. In case the shortened link doesn’t work, the victim is directly taken to the legit website.

**List of Exploits**

Here’s the list of the 0-day flaws exploited by attackers in Chrome and Android:

*   CVE-2021-1048
*   CVE-2021-37973
*   CVE-2021-37976
*   CVE-2021-38000
*   CVE-2021-38003

The primary aim of attackers behind this operation is distributing Alien malware that is a precursor for deploying Predator spyware onto infected devices. It receives commands from Predator through an IPC (inter-process communication) mechanism and can record audio, hide apps, and add CA certificates to evade detection.

The first campaign was launched in August last year on Google Chrome, targeting the Samsung Galaxy S21 device. One month later, the second campaign targeted an updated Samsung Galaxy S10, while the third was detected in October 2021.

**More Android Spyware News**

1.  Fake Android Banking Apps Stealing Credentials Via Malware
2.  BRATA Android malware factory resets phones after stealing funds
3.  TangleBot Android malware hijacks phone to steal login credentials
4.  New Android malware TeaBot found stealing data, intercepting SMS
5.  New Russian Android Malware Tracks GPS Location and Spies on Victims

Predator Spyware Using Zero-day to Target Android Devices

Plus: The Conti ransomware gang shuts down, Canada bans Huawei and ZTE, and more of the week’s top security news.

As Russia’s full-scale war in Ukraine heads towards its hundredth day, opposition from Ukrainian forces is as strong as ever. At the same time, hacktivists all around the world continue to breach Russian institutions and publish their files and emails. This week one hacktivist collective took a different—and slightly peculiar—approach: launching a service to prank-call Russian government officials. The new website uses leaked details to put two random Russian officials on a call with each other. It obviously won't make any difference to the outcome of the war, but the group that created it hopes the tool will cause some confusion and annoy those in Moscow.

New research from Google’s Threat Analysis Group has delved into the surveillance-for-hire industry and found that spyware vendors are targeting Android devices with zero-day exploits. State-sponsored actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia have all purchased hacking tools from the North Macedonian firm Cytrox, the Google team says. The malware has used five previously unknown Android exploits, alongside unpatched vulnerabilities. Overall, Google’s researchers say they’re tracking more than 30 surveillance-for-hire firms around the world.

In other malware news, academics at Germany’s Technical University of Darmstadt have figured out a way to track an iPhone’s location even when it is turned off. When you switch your iPhone off it doesn’t fully power down—instead chips inside run in a low-power mode. The researchers were able to run malware that can track the phone in this low-power mode. They believe their work is the first of its kind, but the method is unlikely to be much of a threat in the real world, as it first requires jailbreaking the targeted iPhone, which has generally become harder to do in recent years.

But wait, there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

International sanctions imposed against North Korea, for its continued development of nuclear weapons and ballistic missiles, mean the nation can’t trade with other countries or bring outside money within its borders. To get around this, in recent years Pyongyang has allowed its state-affiliated hackers to raid cryptocurrency platforms and rob banks. Now the FBI, the US Department of State, and the US Treasury have warned that thousands of North Korea’s IT workers—including app and software developers—have been freelancing at businesses around the world and sending money home. Many of them are based in China or Russia, the officials say. The risks of hiring North Korean workers range from “theft of intellectual property, data, and funds to reputational harm and legal consequences, including sanctions under both US and United Nations authorities.”

In a significant public move, the US Department of Justice says it will stop prosecuting security researchers under the Computer Fraud and Abuse Act. “Computer security research is a key driver of improved cybersecurity,” deputy attorney general Lisa Monaco said in a statement. For years the anti-hacking CFFA law has been criticized for its broad scope and its potential to be abused by prosecutors. While the DOJ’s explicit shift in policy will be welcomed by researchers, as _Motherboard_ reports, the policy doesn’t go far enough and still can put legitimate researchers at risk.

The mostly Russia-based Conti ransomware gang has had a dreadful few months. After backing Vladimir Putin’s war in Ukraine, thousands of its internal messages and innermost secrets were published online. While the gang has continued to target victims, including Costa Rica’s government, researchers now say Conti has officially shut down its operations. Conti’s Tor admin panels have been taken offline, and the group’s members are splintering off into other ransomware groups, according to security firm Advanced Intel. The shutdown comes after the US government offered a $15 million reward for information about Conti's members.

Canada has become the final country in the Five Eyes intelligence group—which also includes the US, UK, Australia, and New Zealand—to ban the use of Huawei’s telecoms equipment in its 5G networks. Fellow Chinese telecom firm ZTE is also included in the ban. The Canadian government, in an announcement, cited national security concerns and the fact that companies could be forced to comply with orders from “foreign governments.” Starting in September, Canadian firms will be banned from buying new 4G and 5G equipment from the Chinese companies. They must remove all existing 5G equipment by the summer of 2024, and 4G equipment must be removed by the end of 2027.

North Korean IT Workers Are Infiltrating Tech Companies

Cisco on Friday rolled out fixes for a medium-severity vulnerability affecting IOS XR Software that it said has been exploited in real-world attacks.
Tracked as CVE-2022-20821 (CVSS score: 6.5), the issue relates to an open port vulnerability that could be abused by an unauthenticated, remote attacker to connect to a Redis instance and achieve code execution.
"A successful exploit could allow

Cisco on Friday rolled out fixes for a medium-severity vulnerability affecting IOS XR Software that it said has been exploited in real-world attacks.

Tracked as CVE-2022-20821 (CVSS score: 6.5), the issue relates to an open port vulnerability that could be abused by an unauthenticated, remote attacker to connect to a Redis instance and achieve code execution.

"A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database," Cisco said in an advisory.

"Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system."

The flaw, which it said was identified during the resolution of a technical assistance center (TAC) case, impacts Cisco 8000 Series routers running IOS XR Software that has the health check RPM installed and active.

The networking equipment maker also cautioned that it's aware of the attempted exploitation of the zero-day bug earlier this month. "Cisco strongly recommends that customers apply suitable workarounds or upgrade to a fixed software release to remediate this vulnerability," it added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Cisco Issues Patch for New IOS XR Zero-Day Vulnerability Exploited in the Wild

Organizations that deploy updates only after a vulnerability is disclosed apply far fewer updates and do so at a lower cost than those that stay up to date on all of their software, university researchers say.

Analysis has surfaced what many would consider a surprising insight: Organizations that always update to the newest versions of all of their software have roughly the same risk of being compromised in cyber-espionage campaigns as those that apply only specific updates after a vulnerability is disclosed.

A quantitative look at data from 350 advanced persistent threat (APT) campaigns between 2008 and 2020 by researchers from University of Trento, Italy, shows that organizations with a purely reactive software update strategy had roughly the same risk exposure to advanced cyberattacks as those that keep up to date on everything. This is despite the fact that the subjects deployed only 12% of the updates that organizations that always updated immediately did.

The data shows that the same holds true for organizations that might apply updates to patch vulnerabilities based on information they have received in advance — for example, by paying for information about zero-days. Even these entities do not have a significant advantage over those that patch only on a reactive basis when it comes to breach risk, the study shows.  

**Why Reactive Patching Might Be OK for APTs  
**Though this flies in the fact of conventional wisdom, the study results reflect two realities: 1) APTs tend to be reactionary themselves, and 2) time-to-patch metrics matter.

In analyzing some 350 campaigns dating back to 2008 (including information on vulnerabilities exploited, attack vectors, and affected software products), researchers found that APTs targeted publicly disclosed vulnerabilities more often than they did zero-days, overall. They also tended to frequently share or target the same known vulnerabilities in their campaigns.

In all, the researchers identified 86 different APT groups exploiting a total of 118 unique vulnerabilities in their campaigns between 2008 and 2020. Just eight of these threat groups used exclusive vulnerabilities in their campaigns: Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor.

That means there's an opportunity for IT teams to prioritize those bugs that are known to be APT favorites, in order to eliminate most of the risk of compromise.  

**Risk Remains Roughly the Same  
**Organizations that can apply software updates as soon as they're released naturally still face the lowest odds of being compromised, the study showed. However, the need to do regression testing before applying an update means that entities often take far longer to update their software. It's here that the researchers found little difference in risk exposure between those that apply all software updates, those that apply on a reactive basis, and those that update based on information they might have received in advance of others.

After all, the advantage of receiving vulnerability information in advance goes away completely the longer an organization takes to act upon the information.

For example, organizations that applied all software updates within one month of the updates being released were roughly at between five and six times higher risk of being compromised than organizations that updated immediately. That number was lower than (but not significantly so) for those that patched on a reactive basis (roughly between five-and-a-half to seven times higher risk); and those acting upon advance information (approximately between five and seven times higher).

The researchers found that organizations which acted on a reactive basis deployed far fewer updates than those that applied all updates. "Waiting to update when a CVE is published presents eight times fewer updates," the researchers said. "Thus, if an enterprise cannot keep up with the updates and needs to wait before deploying them, it can consider being simply reactive \[as an alternative\]."

**A Critical Issue  
**The issue of patch prioritization has become increasingly critical for resource- and time-strapped IT departments and security organizations. The growing use of open source components — many with vulnerabilities in them — has only exacerbated the problem. A study that Skybox Research Lab conducted last year showed a total of 20,175 vulnerabilities were disclosed in 2021. Another study by Kenna Security showed that nearly 95% of all enterprise assets contain at least one exploitable vulnerability. The trend has heightened interest in risk-based patch prioritization and pushed the US Cybersecurity and Infrastructure Agency to publish a catalog of exploited vulnerabilities so organizations know on which ones to focus first.

For its part, the University of Trento study specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment.

"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers said.

Partial Patching Still Provides Strong Protection Against APTs

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

CVE-2022-28104: Security Bulletins | Foxit Software

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.
"The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.

"The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell said.

Cytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns.

The commercial surveillance company is the maker of Predator, an implant analogous to that of NSO Group's Pegasus, and is known to have developed tools that enables its clients to penetrate iOS and Android devices.

In December 2021, Meta Platforms (formerly Facebook) disclosed that it had acted to remove roughly 300 accounts on Facebook and Instagram that the company used as part of its compromise campaigns.

The list of the five exploited zero-day flaws in Chrome and Android is below -

*   **CVE-2021-37973** - Use-after-free in Portals API
*   **CVE-2021-37976** - Information leak in core
*   **CVE-2021-38000** - Insufficient validation of untrusted input in Intents (root cause analysis)
*   **CVE-2021-38003** - Inappropriate implementation in V8, and
*   **CVE-2021-1048** - Use-after-free in Android kernel (root cause analysis)

According to TAG, all the three campaigns in question commenced with a spear-phishing email that contained one-time links mimicking URL shortener services that, once clicked, redirected the targets to a rogue domain that dropped the exploits before taking the victim to a legitimate site.

"The campaigns were limited — in each case, we assess the number of targets was in the tens of users," Lecigne and Resell noted. "If the link was not active, the user was redirected directly to a legitimate website."

The ultimate goal of the operation, the researchers assessed, was to distribute a malware dubbed Alien, which acts as a precursor for loading Predator onto infected Android devices.

The "simple" malware, which receives commands from Predator over an inter process communication (IPC) mechanism, is engineered to record audio, add CA certificates, and hide apps to evade detection.

The first of the three campaigns took place in August 2021. It used Google Chrome as a jumping off point on a Samsung Galaxy S21 device to force the browser to load another URL in the Samsung Internet browser without requiring user interaction by exploiting CVE-2021-38000.

Another intrusion, which occurred a month later and was delivered to an up-to-date Samsung Galaxy S10, involved an exploit chain using CVE-2021-37973 and CVE-2021-37976 to escape the Chrome sandbox (not to be confused with Privacy Sandbox), leveraging it to drop a second exploit to escalate privileges and deploy the backdoor.

The third campaign — a full Android 0-day exploit — was detected in October 2021 on an up-to-date Samsung phone running the then latest version of Chrome. It strung together two flaws, CVE-2021-38003 and CVE-2021-1048, to escape the sandbox and compromise the system by injecting malicious code into privileged processes.

Google TAG pointed out that while CVE-2021-1048 was fixed in the Linux kernel in September 2020, it wasn't backported to Android until last year as the fix was not marked as a security issue.

"Attackers are actively looking for and profiting from such slowly-fixed vulnerabilities," the researchers said.

"Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#zero_day