Google released a six-part report on a sophisticated cybercriminal operation targeting Android and Windows users that was discovered by Google early last year.

As reported in the first part of the report, the attacks were carried out from two servers that delivered different exploit chains to the attacked systems using the watering hole technique. One server was used to attack Windows users and the other to attack Android users.

As an entry point to the attacked system, both servers exploited vulnerabilities in Google Chrome, and then the attackers deployed a system-level exploit to gain more control over the victim's device.

The exploit chain included both known vulnerabilities and zero-day vulnerabilities. In particular, the attackers exploited four vulnerabilities in Google Chrome, one of which was a zero-day vulnerability at the time of the discovery, two sandbox escape exploits abusing three 0-day vulnerabilities, and a “privilege escalation kit”composed of publicly known vulnerabilities for older versions of Android.

Exploited by hackers and patched in 2020, zero-day vulnerabilities in Google Chrome:

CVE-2020-6418 - a vulnerability in the TurboFan optimizing compiler (fixed in February 2020);

CVE-2020-0938 - Vulnerability in Adobe Type Manager Library in Microsoft Windows (fixed in April 2020);

CVE-2020-1020 - Vulnerability in Adobe Type Manager Library in Microsoft Windows (fixed in April 2020);

CVE-2020-1027 - Windows privilege escalation vulnerability (fixed in April 2020).

Watering hole is a cyberattack strategy in which an attacker guesses or observes which websites the victim frequently visits and infects one or more of them with malware.

Source: securitylab.ru