Google’s Threat Analysis Group (TAG) has reported the discovery of multiple exploit campaigns targeting Mongolian government websites, spanning from November 2023 to July 2024.
These campaigns involved sophisticated watering hole attacks, which compromised the websites cabinet.gov.mn and mfa.gov.mn to deliver malicious payloads to unsuspecting visitors.
The campaigns initially targeted iOS devices with a WebKit exploit affecting versions older than 16.6.1. Later, they shifted focus to Android users, deploying a Chrome exploit chain against versions m121 to m123.
Both exploits were n-day vulnerabilities, meaning patches were available but not applied on all devices, making them susceptible to attacks.
TAG has attributed these campaigns with moderate confidence to APT29, a Russian government-backed actor. The exploits used were similar to those previously employed by commercial surveillance vendors (CSVs) such as Intellexa and NSO Group.
Campaign Timeline
- November 2023: The compromised websites included an iframe that delivered the CVE-2023-41993 exploit to iPhone users running older iOS versions. This exploit was used to steal cookies from targeted websites.
- February 2024: The attack was repeated with updated target lists, continuing to exploit the same iOS vulnerability.
- July 2024: A new attack targeted Android users, using a Chrome exploit chain to deploy an information-stealing payload.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Technical Analysis
The iOS campaign utilized a reconnaissance payload to identify the target’s device model before deploying the WebKit exploit.
The iOS exploit reused the cookie stealer framework observed in March 2021, where Russian attackers exploited CVE-2021-1879 to obtain authentication cookies from sites like LinkedIn, Gmail, and Facebook. In that campaign, LinkedIn Messaging was used to send malicious links to western European government officials.
In the recent watering hole attacks, iOS versions older than 16.6 followed the same flow as CVE-2021-1879.
The attack involved creating a websocket linked to an attacker-controlled IP, manipulating the SecurityOrigin class to access the targeted domain’s URLs, and capturing authentication cookies by intercepting websocket requests. The module targeted specific websites like Google, LinkedIn, and Facebook.
On newer iOS versions, the payload uses WebCore::NetworkStorageSession::getAllCookies() to collect and exfiltrate cookies.
The Chrome campaign required an additional sandbox escape vulnerability to bypass Chrome’s Site Isolation feature, a security measure designed to protect user data.
At the end of July 2024, a new watering hole attack was identified on the mfa.gov[.]mn website, where the track-adv[.]com domain was used to deliver a Google Chrome exploit chain targeting Android users.
Similar to the iOS attack, the goal was to steal credential cookies using n-day vulnerabilities. However, the Chrome attack required an additional sandbox escape to bypass site isolation.
Instead of directly adding an iframe, attackers used obfuscated JavaScript to inject a malicious iframe pointing to track-adv[.]com. Unlike previous campaigns that used static decryption keys, they implemented proper ECDH key exchange for crypto key generation.
Both attacks utilized indexedDB to store client-side status information, with the databases named minus (iOS) and tracker (Chrome). A unique identifier was consistently generated and passed as a parameter throughout all stages.
Both campaigns employed a cookie stealer framework, similar to one observed in a 2021 APT29 campaign, to exfiltrate authentication cookies from various prominent websites.
Google has notified Apple, Android, and Google Chrome teams about these campaigns, as well as the Mongolian Computer Emergency Response Team (CERT) to address the compromised websites. TAG has also added the identified malicious domains to Safe Browsing to protect users.
These findings highlight the persistent threat posed by watering hole attacks and the reuse of exploits originally developed by commercial surveillance vendors. TAG emphasizes the importance of applying security patches promptly to prevent exploitation and remains committed to detecting and mitigating 0-day vulnerabilities.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial