Analysts at the Google Threat Analysis Group (TAG) have discovered that government hackers use five zero-day vulnerabilities at once to install the Predator spyware, created by commercial spyware developer Cytrox.
Let me remind you that we also wrote that Vulnerability in WordPress Tatsu Builder Plugin Is under Attack. The researchers say they recorded three campaigns that lasted from August to October 2021. In these attacks, the attackers used 0-day exploits targeting Chrome and Android, even on fully updated Android devices. At the same time, exploit experts “with a high degree of confidence” associate these vulnerabilities and their exploitation with Cytrox from North Macedonia. According to TAG, government hackers purchased and used these exploits to infect Android devices with spyware in Egypt, Armenia, Greece, Madagascar, Cote d’Ivoire, Serbia, Spain and Indonesia.
- CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome;
- CVE-2021-1048 in Android.
Exploits for these problems were used in three separate campaigns:
- campaign #1 – redirect to SBrowser from Chrome (CVE-2021-38000);
- campaign #2 – Chrome Sandbox Escape (CVE-2021-37973, CVE-2021-37976);
- campaign #3 — a chain of 0-day exploits for Android (CVE-2021-38003, CVE-2021-1048).