Google’s Threat Analysis Group (TAG) recently announced the discovery of several hacking campaigns that used zero-day vulnerabilities to install spyware on users’ devices. Exploit chains were deployed on Android, iOS, and Samsung devices with a high level of sophistication, indicating that surveillance vendors may be sharing exploit techniques with one another.
Hacking campaigns found by TAG
TAG researchers identified two highly targeted campaigns that focused on exploiting zero-day vulnerabilities. In one campaign, attackers used text messages with shortened links that redirected victims to legitimate shipment websites in Italy, Malaysia, and Kazakhstan. The attackers then used a WebKit remote code execution zero-day and a sandbox escape bug to exploit iOS and Android devices. The attackers installed a payload on these devices that enabled them to track victims’ locations and install .IPA files. They also used an Android exploit chain to attack devices with ARM GPUs using zero-day vulnerabilities.
In another campaign, researchers found an exploit chain targeting Samsung Internet browser versions using multiple zero-day and n-day vulnerabilities. These campaigns were highly targeted and the attackers took advantage of the time gap between when software patches were released and when they were fully deployed on end-users’ devices.
Link between spyware vendors
The discovery of these exploit chains was prompted by findings shared by Amnesty International’s Security Lab. The campaigns indicate that exploits and techniques are being shared between surveillance vendors, leading to the development of dangerous hacking tools. Google is currently tracking more than 30 vendors known for selling surveillance capabilities or exploits to government-sponsored threat actors worldwide.
Google has linked an exploit framework known as Heliconia and targeting Chrome, Firefox, and Microsoft Defender vulnerabilities to the Variston IT Spanish software company. This highlights how commercial cybersurveillance companies have access to zero-day exploits, stockpiling them for their own purposes or sharing them with others, leading to major security risks.
Newly discovered spyware campaign
Amnesty International’s Security Lab recently exposed a hacking campaign by a commercial cybersurveillance company. The attack targeted billions of Android, Chrome, and Linux users. TAG collaborated with Amnesty International to release security updates that protect users from the exploits used in these campaigns.
The newly discovered spyware campaign has been active since at least 2020 and it targets mobile and desktop devices. The spyware and zero-day exploits were delivered from an extensive network of over 1000 malicious domains. Amnesty International has identified additional activity related to this spyware campaign in Indonesia, Belarus, the UAE, and Italy.
Numerous abuses by the spyware industry pose a critical threat to human rights defenders and civil society around the world. As a result, US President Biden signed an executive order restricting the government’s use of commercial spyware technology that poses a threat to human rights. There is also an urgent need for a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are put in place.
Conclusion
Google’s latest discovery highlights the need for increased cybersecurity measures and vigilance from users. Cybersecurity professionals should prioritize monitoring their devices’ security patches to apply them as soon as possible. Users should also exercise caution when clicking on links received through text messages or emails, especially if they come from unknown sources. Finally, there must be greater accountability for companies that develop and sell exploit techniques to prevent egregious exploitation of human rights globally.
Image Source: Wikimedia Commons
