fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Google Discloses Hacking Campaign Targeting Windows, Android Users

Google Discloses Hacking Campaign Targeting Windows, Android Users

Project Zero, Google’s 0day bug-hunting team, revealed a hacking campaign coordinated by “a highly sophisticated actor” and targeting Windows and Android users with zero-day and n-day exploits.

The Project Zero team, in collaboration with the Google Threat Analysis Group (TAG), discovered a watering hole attack using two exploit servers in early 2020, each of them using separate exploit chains to compromise potential targets.

“These exploit chains are designed for efficiency & flexibility through their modularity,” Project Zero said after analyzing them for several months.

“They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains.”

Project Zero researchers were able to collect a trove of information from the two exploit servers including:

  • Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.
  • Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.
  • A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.

One of the exploit server used in those hacking operation was used to target Windows users, while the other specifically attempt to compromise Android devices.

In both cases, the attackers made use of Chrome exploits to remotely execute malicious code on the targets’ devices remote code execution, zero-days for Windows devices, and n-day ones for Android.

While no Android zero-days were used in the Android exploit chain, “[b]ased on the actor’s sophistication, we think it’s likely that they had access to Android 0-days, but we didn’t discover any in our analysis,” Project Zero said.

Hacking campaign targeting Windows and Android devices with zero-days
Hacking campaign targeting Windows and Android devices (Google)

“Exploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor’s operation set these apart,” Project Zero added.

“We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known.”

The four zero-days exploited in these attacks and patched last year are:

  • CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed February 2020)
  • CVE-2020-0938 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1020 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1027 – Windows CSRSS Vulnerability (fixed April 2020)

All three Windows zero-days were addressed by Microsoft in the April 2020 Patch Tuesday, while the Chrome zero-day was patched by Google in February 2020 with the release of Chrome 80.0.3987.122 after discovering an exploit in the wild.

The Project Zero team also published separate reports about the Chrome “Infinity Bug” used to target Android users, the ChromeAndroid, and Windows exploit chains, as well as the post-exploitation procedure used on rooted and compromised Android devices, as observed in the attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us