Cybersecurity researchers have uncovered a series of exploit campaigns conducted by the Russian state-backed hacking group known as APT29 (aka Midnight Blizzard). These campaigns leveraged previously patched vulnerabilities in Apple Safari and Google Chrome to infect mobile users with information-stealing malware. The flaws, while patched, were effective against devices that had not yet received updates, highlighting the dangers of unpatched systems.
Details of the Campaigns
The activity, which spanned from November 2023 to July 2024, involved watering hole attacks targeting Mongolian government websites, specifically cabinet.gov[.]mn and mfa.gov[.]mn. APT29 is believed to have used these sites to deliver exploits for known vulnerabilities in Safari and Chrome, compromising devices visiting the infected sites.
Exploited Vulnerabilities
The campaigns exploited the following vulnerabilities:
-
CVE-2023-41993: A WebKit flaw in Safari that allowed arbitrary code execution through specially crafted web content. This vulnerability was fixed by Apple in September 2023 in iOS 16.7 and Safari 16.6.1.
-
CVE-2024-4671: A use-after-free vulnerability in Chrome's Visuals component, enabling arbitrary code execution. Google patched this in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024.
-
CVE-2024-5274: A type confusion flaw in Chrome's V8 JavaScript and WebAssembly engine, also allowing arbitrary code execution. This was patched in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024.
Attack Techniques and Payloads
The campaigns utilized watering hole techniques, infecting the Mongolian government sites to redirect visitors to malicious domains. During the November 2023 and February 2024 attacks, an iframe was used to serve reconnaissance payloads to iPhone and iPad users visiting the sites. This initial payload validated the device before deploying a second payload exploiting CVE-2023-41993 to steal browser cookies.
The stolen cookies could give attackers unauthorized access to various accounts, provided the victim had active sessions in browsers like Safari. Targets included popular services such as Google, Microsoft, LinkedIn, and Apple iCloud. The tactics mirrored those used in 2021 with the exploitation of an iOS zero-day vulnerability (CVE-2021-1879).
In July 2024, the campaign shifted focus, injecting JavaScript into the mfa.gov[.]mn site to redirect Chrome users on Android devices to a malicious link. This attack leveraged CVE-2024-5274 and CVE-2024-4671 to deploy malware capable of exfiltrating sensitive data, including cookies, passwords, and credit card information.
Connection to Commercial Surveillance Vendors
Researchers noted similarities between the exploits used by APT29 and those linked to commercial surveillance vendors Intellexa and NSO Group. This connection suggests the possible involvement of a vulnerability broker, selling the same exploits initially used as zero-days by these vendors. The recurring use of similar trigger codes and tactics across different campaigns underscores the adaptability and persistence of these threat actors.
Implications and Recommendations
The exploitation of n-day vulnerabilities in high-profile attacks, such as those executed by APT29, emphasizes the importance of keeping software and systems up-to-date with the latest security patches. Organizations must prioritize patch management and implement robust security measures to mitigate risks associated with unpatched vulnerabilities.
Watering hole attacks, as demonstrated, remain a potent threat, capable of silently compromising users who visit targeted websites. Users and organizations should employ security tools that monitor and block malicious network activity, maintain regular backups, and conduct cybersecurity awareness training to recognize and avoid phishing and other social engineering attacks.
The APT29 campaigns highlight the evolving tactics of state-sponsored actors and the ongoing threat posed by n-day vulnerabilities. By leveraging known exploits in widely used browsers, attackers can execute sophisticated operations, underscoring the need for vigilance in cybersecurity practices.
