Friend
Professional
- Messages
- 2,653
- Reaction score
- 842
- Points
- 113
Google has uncovered spying on government networks with a clever way to infect.
Google experts recorded several cyberattacks on Mongolian government websites between November 2023 and July 2024. Hackers used vulnerabilities in iOS and Android to steal user data.
Watering hole attacks were attempts to compromise users using exploits that were distributed through infected sites. The cybercriminals first used a WebKit exploit that targeted iOS users with system versions lower than 16.6.1. During the attacks, malicious code that steals cookies was distributed through compromised sites. Later, the hackers switched to Android users, applying a chain of exploits for the Chrome browser, covering versions of m121-m123. Exploits exploited vulnerabilities that had already been patched, but remained dangerous for unpatched devices.
In both campaigns, the attackers used exploits similar to those used by the commercial spyware companies Intellexa and NSO Group.
Hidden iframes have been added to Mongolian government websites (cabinet.gov.mn and mfa.gov.mn that download content from a hacker-controlled site. The iframe distributed the CVE-2023-41993 exploit, which stole cookies from iPhone users running older versions of iOS. In the case of Android, the hackers used JavaScript to redirect to a third-party site from where the Chrome exploit chain was downloaded. The chain included CVE-2024-5274 and CVE-2024-4671 vulnerabilities, allowing attackers to steal information from devices
Google promptly notified Apple, Google, and the Mongolian CERT of the threats found, which helped fix the problem. However, it remains unclear how the hackers gained access to exploits originally developed by commercial companies.
Source
Google experts recorded several cyberattacks on Mongolian government websites between November 2023 and July 2024. Hackers used vulnerabilities in iOS and Android to steal user data.
Watering hole attacks were attempts to compromise users using exploits that were distributed through infected sites. The cybercriminals first used a WebKit exploit that targeted iOS users with system versions lower than 16.6.1. During the attacks, malicious code that steals cookies was distributed through compromised sites. Later, the hackers switched to Android users, applying a chain of exploits for the Chrome browser, covering versions of m121-m123. Exploits exploited vulnerabilities that had already been patched, but remained dangerous for unpatched devices.
In both campaigns, the attackers used exploits similar to those used by the commercial spyware companies Intellexa and NSO Group.
Hidden iframes have been added to Mongolian government websites (cabinet.gov.mn and mfa.gov.mn that download content from a hacker-controlled site. The iframe distributed the CVE-2023-41993 exploit, which stole cookies from iPhone users running older versions of iOS. In the case of Android, the hackers used JavaScript to redirect to a third-party site from where the Chrome exploit chain was downloaded. The chain included CVE-2024-5274 and CVE-2024-4671 vulnerabilities, allowing attackers to steal information from devices
Google promptly notified Apple, Google, and the Mongolian CERT of the threats found, which helped fix the problem. However, it remains unclear how the hackers gained access to exploits originally developed by commercial companies.
Source
