August 29, 2024 at 12:24PM
Cybersecurity researchers discovered in-the-wild exploit campaigns using patched flaws in Apple Safari and Google Chrome to infect mobile users with malware, attributed to a Russian state-backed threat actor. The campaigns were observed between November 2023 and July 2024, featuring watering hole attacks on Mongolian government websites. N-day exploits were effectively delivered, posing a threat to unpatched browsers.
From the meeting notes:
– Exploit campaigns leveraging patched vulnerabilities in Apple Safari and Google Chrome were observed between November 2023 and July 2024.
– The Russian state-backed threat actor APT29 (Midnight Blizzard) is attributed with moderate confidence to these attacks.
– Specific vulnerabilities targeted include CVE-2023-41993, CVE-2024-4671, and CVE-2024-5274 in Apple Safari and Google Chrome browsers.
– The attackers used watering hole attacks on Mongolian government websites and employed a cookie stealer framework to exfiltrate browser cookies from mobile devices.
– Evidence suggests reuse of exploits previously linked to commercial surveillance vendors (CSVs) Intellexa and NSO Group.
– The possibility of exploits being procured from a vulnerability broker, originally sold to spyware vendors as zero-days, is raised.
These notes highlight the severity of the exploit campaigns, the tactics used by the threat actors, and the potential supply chain for acquiring exploits.