The use of zero-day exploits and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code—which chained together multiple exploits in an efficient manner—the campaign demonstrates it was carried out by a “highly sophisticated actor.”“These exploit chains are designed for efficiency and flexibility through their modularity,” a researcher with Google’s Project Zero research team wrote. “They are well engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains.”
The modularity of the payloads, the interchangeable exploit chains, and the logging, targeting, and maturity of the operation also set the campaign apart, the researcher said.
The four zero-days exploited were:
- CVE-2020-6418—Chrome Vulnerability in TurboFan (fixed February 2020)
- CVE-2020-0938—Font Vulnerability on Windows (fixed April 2020)
- CVE-2020-1020—Font Vulnerability on Windows (fixed April 2020)
- CVE-2020-1027—Windows CSRSS Vulnerability (fixed April 2020)
In all, Project Zero published six installments detailing the exploits and post-exploit payloads the researchers found. Other parts outline a Chrome infinity bug, the Chrome exploits, the Android exploits, the post-Android exploitation payloads, and the Windows exploits.
The intention of the series is to assist the security community at large in more effectively combating complex malware operations. “We hope this blog post series provides others with an in-depth look at exploitation from a real-world, mature, and presumably well-resourced actor,” Project Zero researchers wrote.
This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more.
As part of this internal advocacy work, Fong-Jones had become attuned to the way discussions about diversity on internal forums were beset by men like Cernekee, Damore, and other coworkers who were “just asking questions.” To her mind, Google's management had allowed these dynamics to fester for too long, and now it was time for executives to take a stand.
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters !
- The case for cannibalism, or: How to survive the Donner Party
- Yes, Cyberpunk 2077 is buggy. But mostly, it has no heart
- Apple's app “privacy labels” are a big step forward
- These 7 pots and pans are all you need in the kitchen
- The race for a Covid vaccine was more about luck than tech
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers