The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor. The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications. The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston. The exploits were delivered in one-time links sent via SMS to devices located in the United Arab Emirates (UAE). In December 2022, TAG discovered a complete exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser. site/api/s/3PU970/ - iOS exploit chain.site/api/s/N0NBL8/ - Android exploit chain.Chrome users updated to at least version 1 are also protected. Note, Pixel devices with the security update are protected against both exploit chains in this blog. This was recently highlighted by blog posts from Project Zero and Github Security Lab. When ARM released a fix for CVE-2022-38181, patches were not immediately incorporated by vendors, resulting in the bugs exploitation. We were unable to obtain the final payload for this exploit chain. ![]() In the past, we have seen attackers redirect users from Chrome to Samsung Internet Browser, similar to CVE-2022-2856, but in this case the redirection occurred the other way. ![]() It’s worth noting users were redirected to Chrome using Intent Redirection if they were coming from a Samsung Internet Browser. It is unclear if attackers had an exploit for this vulnerability before it was reported to ARM. ![]() CVE-2022-38181, a privilege escalation bug fixed by ARM in August 2022.Sergei Glazunov from Project Zero helped analyze the exploit and wrote a root cause analysis for this bug. CVE-2022-4135, a Chrome GPU sandbox bypass only affecting Android (0-day at time of exploitation), fixed in November 2022.CVE-2022-3723, a type confusion vulnerability in Chrome, found by Avast in the wild and fixed in October 2022 in version 1.87.It consisted of three exploits, including one 0-day: The Android exploit chain targeted users on phones with an ARM GPU running Chrome versions prior to 106. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians. ![]() These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. Today, we actively track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors. For years, TAG has been tracking the activities of commercial spyware vendors to protect users. Google’s Threat Analysis Group (TAG) tracks actors involved in information operations (IO), government backed attacks and financially motivated abuse.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |