Google says Russian hackers using iOS, Chrome flaws to steal users data – ET CISO
https://etimg.etb2bimg.com/thumb/msid-112934730,imgsize-25018,width-1200,height=765,overlay-etciso/data-breaches/google-says-russian-hackers-using-ios-chrome-flaws-to-steal-users-data.jpg
The Russian state-sponsored APT29 hacking group has been observed using the same iOS and Chrome on Android exploits created by commercial spyware vendors like NSO Group and Intellexa in a series of cyberattacks between November 2023 and July 2024.
“The campaigns first delivered an iOS WebKit exploit affecting iOS versions older than 16.6.1 and then later, a Chrome exploit chain against Android users running versions from m121 to m123,” said Google’s Threat Analysis Group (TAG).
Google’s TAG said the n-day flaws have already been patched but remain effective on devices that have not been updated.
Hackers are using watering hole tactics
Google says that APT29, also known as “Midnight Blizzard”, targeted multiple websites of the Mongolian government and employed “watering hole” tactics.
“We assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29. In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,” it said.
A watering hole is a type of cyberattack where a legitimate site is compromised with malicious code designed to deliver payloads to visitors that meet specific criteria.
Why these hackings are dangerous
Google’s threat analysts note that APT29 has a long history of exploiting zero-day and n-day vulnerabilities. The hackers leveraged an iOS WebKit flaw for stealing browser cookies from iPhone users running iOS 16.6.1 and older.
TAG reports that this exploit was exactly the same as the one Intellexa used in September 2023, leveraging CVE-2023-41993 as a zero-day vulnerability at the time.
In a similar way, APT29 leveraged exploits on Google Chrome to attack Android users visiting compromised websites. The purpose was to steal cookies, passwords, and other sensitive data stored on the victims’ Chrome browser.
Since the patch for these exploits are available, iPhone and Android users are advised to install updates as soon as they can to protect their privacy.