Analysts at the Google Threat Analysis Group (TAG) have discovered that government hackers use five zero-day vulnerabilities at once to install the Predator spyware, created by commercial spyware developer Cytrox.
Let me remind you that we also wrote that Vulnerability in WordPress Tatsu Builder Plugin Is under Attack. The researchers say they recorded three campaigns that lasted from August to October 2021. In these attacks, the attackers used 0-day exploits targeting Chrome and Android, even on fully updated Android devices. At the same time, exploit experts “with a high degree of confidence” associate these vulnerabilities and their exploitation with Cytrox from North Macedonia. According to TAG, government hackers purchased and used these exploits to infect Android devices with spyware in Egypt, Armenia, Greece, Madagascar, Cote d’Ivoire, Serbia, Spain and Indonesia.
0-day exploits have been used alongside n-day exploits as developers have taken advantage of the gap between the time when some critical bugs are already fixed but not yet flagged as a security issue, and the time when these fixes are already fully deployed in the Android ecosystem.experts write.
- CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome;
- CVE-2021-1048 in Android.
Exploits for these problems were used in three separate campaigns:
- campaign #1 – redirect to SBrowser from Chrome (CVE-2021-38000);
- campaign #2 – Chrome Sandbox Escape (CVE-2021-37973, CVE-2021-37976);
- campaign #3 — a chain of 0-day exploits for Android (CVE-2021-38003, CVE-2021-1048).
All three campaigns delivered one-time links that mimic URL shortening services to targeted Android users via email. Campaigns were limited – in each case, we estimate the number of goals by dozens of users. After clicking on the link, it redirected the victim to a domain owned by the attacker who used the exploits before redirecting the browser to a legitimate site. If the link was inactive, the user was immediately taken to a legitimate site.the TAG report says.
