August 30, 2024 at 01:42PM
APT29, also known as Cozy Bear and Midnight Blizzard, conducted exploit campaigns using n-day mobile exploits previously employed by commercial spyware vendors. Google’s Threat Analysis Group found that these campaigns were initiated through a watering hole attack on Mongolian government websites, aiming to infect devices with iOS and Android vulnerabilities. The exploitation occurred on three occasions, with the latest campaign occurring a month ago. The exploit used a vulnerability tracked as CVE-2023-41993, previously exploited by Intellexa and NSO Group, despite being patched. It remains unclear how the attackers acquired these exploits, but it highlights the increasing threat posed by repurposed commercial surveillance exploits.
From the meeting notes, it is clear that multiple exploit campaigns linked to a Russian-backed threat actor were discovered delivering n-day mobile exploits previously used by commercial spyware vendors. These campaigns were delivered through watering hole attacks on Mongolian government websites, specifically cabinet.gov[.]mn and mfa.gov[.]mn. The exploits targeted known flaws in iOS and Chrome on Android to hijack devices of website visitors. The researchers have noted that these exploits were originally used as 0-days by commercial surveillance vendors and were later acquired and used by threat actors, highlighting the escalating threat posed by such exploits.