Cybersecurity experts have uncovered a series of sophisticated exploit campaigns targeting mobile users through now-patched vulnerabilities in Apple Safari and Google Chrome browsers. The attacks, observed between November 2023 and July 2024, were primarily aimed at unpatched devices, despite patches being available, leveraging these flaws to deploy information-stealing malware.
The Google Threat Analysis Group (TAG) highlighted that the campaigns utilized n-day exploits in a watering hole attack on Mongolian government websites, specifically cabinet.gov.mn and mfa.gov.mn. This method involved compromising these websites to deliver the exploits, which were then used to target users visiting the sites.
The attacks have been attributed to the Russian state-backed threat actor known as APT29, or Midnight Blizzard. This attribution is supported by the reuse of exploits previously linked to commercial surveillance vendors like Intellexa and NSO Group, suggesting the continued use of these vulnerabilities in new campaigns.
Key Vulnerabilities Exploited:
- CVE-2023-41993: A WebKit flaw in Safari, allowing arbitrary code execution via specially crafted web content. Patched in iOS 16.7 and Safari 16.6.1 (September 2023).
- CVE-2024-4671: A use-after-free flaw in Chrome’s Visuals component, enabling arbitrary code execution. Fixed in Chrome version 124.0.6367.201/.202 (May 2024).
- CVE-2024-5274: A type confusion flaw in Chrome’s V8 engine, also leading to arbitrary code execution. Addressed in Chrome version 125.0.6422.112/.113 (May 2024).
Campaign Details:
The first wave of attacks, in November 2023 and February 2024, compromised the Mongolian government websites to deliver the WebKit exploit (CVE-2023-41993) via a malicious iframe. This iframe was used to serve a reconnaissance payload to iPhones or iPads, which then deployed a second payload to exfiltrate browser cookies.
The attack leveraged a cookie-stealing framework previously linked to the 2021 exploitation of an iOS zero-day (CVE-2021-1879). This framework targeted authentication cookies from popular websites such as Google, Microsoft, LinkedIn, and Facebook, sending them to an attacker-controlled server.
In July 2024, the mfa.gov.mn website was compromised again, this time injecting JavaScript to redirect Chrome users on Android to a malicious link. The link deployed a chain of exploits combining CVE-2024-5274 and CVE-2024-4671, resulting in the theft of browser information, including cookies, passwords, and credit card data.