August 30, 2024 at 01:05PM
Google’s Threat Analysis Group (TAG) discovered a series of exploit campaigns perpetrated by a Russian-backed threat actor targeting the Mongolian government websites, delivering mobile exploits previously utilized by commercial spyware vendors Intellexa and NSO Group. The campaigns aimed to hijack visitors’ devices by exploiting iOS and Chrome vulnerabilities, posing an ongoing threat.
From the meeting notes, it is apparent that multiple exploit campaigns have been linked to a Russian-backed threat actor known by various names, such as APT29, Cozy Bear, and Midnight Blizzard. These campaigns have been discovered delivering n-day mobile exploits that were previously used by commercial spyware vendors.
Google’s Threat Analysis Group (TAG) revealed that these exploit campaigns originated from a watering hole attack on Mongolian government websites, specifically cabinet.gov[.]mn and mfa.gov[.]mn, belonging to Mongolia’s Cabinet and Ministry of Foreign Affairs. The attackers aimed to infect visitors’ devices by exploiting known vulnerabilities in iOS and Chrome on Android.
The campaigns have occurred on three separate occasions, with two of them delivering an iOS exploit through a vulnerability (CVE-2023-41993) that had been recently patched but was still exploited by Intellexa and NSO Group.
The researchers noted that the exploits used as part of these campaigns were originally developed and used by commercial surveillance vendors, and it’s unclear how the threat actors acquired these exploits. They emphasized the concerning trend of exploits developed by the commercial surveillance industry posing an even greater threat when utilized by APT actors.
Furthermore, the researchers highlighted that while the exploits themselves were originally used by commercial surveillance vendors, the recent watering hole campaigns differed in their delivery approaches and second-stage objectives.
Overall, the meeting notes indicate the significant threat posed by the exploitation of exploits originally developed by commercial surveillance vendors and emphasize the need for vigilance and proactive measures to address these growing security concerns.