One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8569431 |
| Date de publication | 2024-09-04 02:45:48 (vue: 2024-09-04 03:18:11) |
| Titre | Les attaquants soutenus par l'État et les vendeurs de surveillance commerciale utilisent à plusieurs reprises les mêmes exploits State-backed attackers and commercial surveillance vendors repeatedly use the same exploits |
| Texte | ## Snapshot Google\'s Threat Analysis Group (TAG) uncovered in-the-wild exploit campaigns targeting Mongolian government websites between November 2023 and July 2024. TAG attributes the attack to the Russian government-backed actor APT29, tracked by Microsoft as [Midnight Blizzard](https://sip.security.microsoft.com/intel-profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616). The attackers utilized exploits similar to those used by commercial surveillance vendors Intellexa and NSO Group. ## Description These campaigns delivered n-day exploits for iOS and Chrome, affecting unpatched devices. The initial infection vector was a watering hole attack on compromised websites that delivered iOS WebKit and Chrome exploits. The iOS campaigns delivered an exploit via [CVE-2023-41993](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2023-41993/) targeting iPhone users running older versions. TAG\'s analysis revealed that the exploit is nearly identical to one used by commercial vendor Intellexa. This exploit loaded the same cookie stealer framework that TAG observed in March 2021, when a Russian state-backed attacker exploited [CVE-2021-1879](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2021-1879/) to steal authentication cookies from major sites like LinkedIn, Gmail, and Facebook. Read more [here](https://sip.security.microsoft.com/intel-explorer/articles/4a4ab0bf)about Microsoft\'s coverage of Midnight Blizzard\'s malicious activity exploiting CVE-2021-1879. TAG also discovered a Google Chrome exploit chain that aimed to steal credential cookies from Android users. Similar to the iOS campaigns, this attack began with initial access gained through a watering hole. This attack chain exploited [CVE-2024-5274](http://CVE-2024-5274) to compromise the renderer - an exploit that Chrome Security previously discovered as an in-the-wild 0-day in May 2024 used by the commercial NSO Group. Additionally, the attackers leveraged [CVE-2024-4671](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2024-4671/) to break out of Chrome site isolation. TAG is uncertain how suspected APT29 actors acquired the exploits used by commercial surveillance vendors. ### Additional Analysis Commercial surveillance vendors, including Intellexa and the NSO Group, have been the subject of significant scrutiny and criticism. These companies develop and sell advanced spyware tools to governments and law enforcement agencies for surveillance purposes. However, their products have been linked to unauthorized surveillance activities and [human rights concerns](https://www.siliconrepublic.com/enterprise/amnesty-international-intellexa-ireland-predator-spyware "https://www.siliconrepublic.com/enterprise/amnesty-international-intellexa-ireland-predator-spyware"). The NSO Group, known for its [Pegasus spyware](https://thehill.com/policy/cybersecurity/4053311-khashoggi-widow-suing-israeli-firm-says-spyware-caused-her-to-constantly-be-looking-over-her-shoulder/ "https://thehill.com/policy/cybersecurity/4053311-khashoggi-widow-suing-israeli-firm-says-spyware-caused-her-to-constantly-be-looking-over-her-shoulder/"), has faced criticism for its involvement in illegal surveillance. Similarly, Intellexa has been implicated in scandals involving the use of its Predator spyware to monitor U.S. officials, journalists, and policy experts. Both companies have been [sanctioned](https://www.icij.org/investigations/cyprus-confidential/spyware-firm-intellexa-hit-with-us-sanctions-after-cyprus-confidential-expose/ "https://www.icij.org/investigations/cyprus-confidential/spyware-firm-intellexa-hit-with-us-sanctions-after-cyprus-confidential-expose/") for their roles in distributing spyware to authoritarian regimes ## Recommendations Strengthen operating environment configuration - Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version [128.0.6613.84](https://ch |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 128 1280273942 1879 1879/ 2021 2023 2024 2024** 2739 365/security/defender 41993 41993/ 4671 4671/ 5274 6613 7971 about access accessed acquired action activities activity actor actors additional additionally address advanced affecting after agencies aimed alert alerts all also analysis android antivirus any applications apply apt29 are artifacts attachments attack attacker attackers attributes august authentication authoritarian automated backed based been began behind between blizzard block blocks both breach breaches break browser browsers campaigns can caused chain changes channel channel#version chrome cloud com/2024/08/stable com/chrome/update/ com/defender com/deployedge/microsoft com/enterprise/amnesty com/intel com/microsoft com/policy/cybersecurity/4053311 commercial companies compromise compromised concerns confidential confidential/spyware configuration configure configure constantly content cookie cookies copyright cover coverage credential criticism cve cyprus date day defender delivered delivered an dender description desktop detect detected detection develop devices discovered distributing distribution does downloaded edge edr enable encourage endpoint endpoint/automated endpoint/configure endpoint/edr endpoint/enable endpoint/prevent enforcement ensure environment equivalent even evolving experts exploit exploited exploited exploiting exploits exploits/ explorer/articles/4a4ab0bf explorer/cves/cve expose/ facebook faced files firm framework from full gained gmail google google/threat googleblog government governments group group/state has have help her here hit hole host how however html http://cve https://blog https://chromereleases https://learn https://sip https://thehill https://www human icij identical identifies illegal immediate implicated including infection initial intellexa international investigation investigations involvement involving ios ireland isolation israeli is its journalists july keep khashoggi known later law learning let leveraged like linked linkedin loaded looking machine major majority malicious malware manage march may microsoft midnight mode mongolian monitor more nearly network new non not november nso observed officials of older one on operating org/investigations/cyprus other out over part passive patches pegasus permission phishing policy possible post predator previously product products profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616 prohibited protection protection#how protections purposes rapidly read real recommendations reducing references regimes relnote remediate remediation renderer repeatedly reproduction reserved resolve response revealed rights roles running run russian same sanctioned sanctions says scam scan scandals scanning scenes scrutiny security sell settings shoulder/ significant significantly siliconrepublic similar similarly site sites smartscreen snapshot soon spyware stable state steal stealer strengthen subject suing support surveillance suspected systems s threat tag take tamper targeting targeting iphone techniques that thereof these those threat through time tools tracked turn turned types unauthorized uncertain uncovered unknown unpatched update updated use used users utilized variants vector vendor vendors versions version volume vulnerability watering web webkit websites when which widow wild without works written your at for in is or so this |
| Tags | Malware Tool Vulnerability Threat Legislation Mobile Commercial |
| Stories | APT 29 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.