Hackers have been exploiting vulnerabilities in iOS and Google Chrome to target government websites, particularly in Mongolia.
Google’s Threat Analysis Group (TAG) observed these attacks, which have been linked to the Russian government-backed actor APT29.
The hackers have repeatedly used the same exploits, initially developed by commercial surveillance vendors, to breach security defenses.
This article delves into the details of these cyber campaigns, the vulnerabilities exploited, and the implications for global cybersecurity.
The cyberattacks were executed through a method known as “watering hole attacks,” where legitimate websites are compromised to deliver malicious payloads to unsuspecting visitors.
In this case, the Mongolian government websites cabinet.gov[.]mn and mfa.gov[.]mn were targeted.
The attackers embedded hidden iframes that redirected visitors to attacker-controlled websites, delivering exploits to iOS and Android users.
During this period, the attackers used an iOS WebKit exploit, CVE-2023-41993, to target devices running iOS versions older than 16.6.1.
The exploit was delivered via compromised government websites, affecting users who had not updated their devices.
The payload included a cookie stealer framework, previously observed in a 2021 campaign by APT29, which exfiltrated authentication cookies from prominent websites like LinkedIn and Gmail.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
In July 2024, the attackers shifted focus to Android users by exploiting vulnerabilities in Google Chrome.
The Chrome exploit chain targeted CVE-2024-5274 and CVE-2024-4671, allowing attackers to deploy an information-stealing payload.
This campaign required an additional sandbox escape vulnerability to bypass Chrome’s site isolation protections, demonstrating the attackers’ technical sophistication.
Repeated use of the same exploits highlights a concerning trend in cyber warfare. The vulnerabilities exploited in these campaigns were initially discovered and used as zero-days by commercial surveillance vendors like Intellexa and NSO Group.
The attackers adapted these exploits for their purposes, raising questions about how these sophisticated tools ended up in the hands of APT actors.
Google’s TAG has assessed with moderate confidence that these campaigns are linked to APT29, a group known for its advanced cyber capabilities and ties to the Russian government.
The similarities between the exploits used by APT29 and those developed by commercial vendors suggest a potential leak or sale of these tools.
The persistence and sophistication of these attacks underscore the ongoing threat posed by state-sponsored cyber actors.
Watering hole attacks remain potent for delivering sophisticated exploits, particularly against users who have not applied the latest security patches.
The campaigns also highlight the risks associated with the proliferation of commercial surveillance tools, which malicious actors can repurpose.
To mitigate the risk of such attacks, users and organizations are urged to:
Repeatedly using the same exploits in these campaigns highlights the need for vigilance and proactive security measures.
While the exact means by which APT29 acquired these exploits remain unclear, the incidents are a stark reminder of the evolving cyber threat landscape.
Google’s TAG continues to work on detecting, analyzing, and preventing such exploits, sharing its findings to enhance security across the ecosystem.
As cyber threats become increasingly sophisticated, collaboration and information sharing among cybersecurity professionals and organizations are more crucial than ever.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Best DNS Management Tools play a crucial role in efficiently managing domain names and their…
Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…
Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…
SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…
In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…
The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…