Suspected Russian hackers have been hitting iPhone and Android users visiting government websites with exploits first leveraged by commercial surveillance vendors, Google TAG researchers shared.
The watering hole campaigns
Between November 2023 and July 2024, threat actors have repeatedly compromised the websites of the Mongolian Cabinet Secretariat (cabinet.gov[.]mn) and the country’s Ministry of Foreign Affairs (mfa.gov[.]mn) to serve iframes or JavaScript delivering an exploit or exploit chain.
The threat actors leveraged Intellexa’s CVE-2023-41993 (WebKit) exploit to target iPhone users running versions 16.6.1 or older and, more recently, an adapted version of NSO Group’s CVE-2024-5274 exploit, chained with a sandbox escape for CVE-2024-4671 that strongly resembled Intellexa’s CVE-2021-37973 exploit.
Attack chain targeting Android/Chrome users (Source: Google TAG)
“These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices,” Google TAG threat researchers noted.
“The WebKit exploit did not affect users running the current iOS version at the time (iOS 16.7), working only on iOS versions 16.6.1 or older. Users with lockdown mode enabled were not affected even when running a vulnerable iOS version,” the researchers explained.
Users of vulnerable iPhones or iPads who visited the websites when they served the malicious iframes were hit with a cookie stealer framework that Google TAG previously observed being used in 2021 in a suspected APT29 (aka Cozy Bear, aka Midnight Blizzard) campaign.
Android users using Google Chrome versions 121, 122 and 123 were similarly hit with a cookie-stealing payload.
A winning approach
The researchers don’t know how the attackers acquired the exploits, but say that watering holes can be an effective avenue for mass targeting a population with n-day exploits.
Users whose device or browser were not vulnerable were identified by an initial reconnaissance payload and were not served with the final info-stealing payload.