In an analysis by Clement Lecigne and Josh Atkins from Google’s Threat Analysis Group and Mandiant’s Luke Jenkins, multiple in-the-wild attacks spanning a nine-month period have been confirmed as being attributed to a hacking group known as APT29, which has links to the Russian government.
The attacks targeted Android and iOS users with exploits opposed to Apple Safari and Google Chrome browsers. Here’s what we know and how you can ease the fall.
The Google Tag report, written through Clement Lecigne and published on August 29, revealed that the exploits deployed through the APT29 piracy organization sponsored through the Russian State were the same as those used through the concessionaires of advertising espionage in the past.
Observed through Google and driving security analysts between November 2023 and July 2024, the exploits were components of what is known as a water hole attack. It is quite what you expect to be: a cyber attack aimed at the suffering through an infection of an internet site or service that would generally use and trust. Like the predators who attack their prey through hiding near the genuine abbreviations for thirsty animals to their maximum vulnerable. “The use of aquatic fields attacks classic Internet controls such as URL categorization filters,” said Adam Maruyama, Garrison’s leaders generation officer, “because the owner of the site and content selected by the human They are legitimate, leaving only a few layers of coverage between the end user’s device and the malicious Internet code. prevent known exploits from even vulnerable. “
The prey of those specific attacks were the Mongol government’s websites, although the same tactic applies to any targeted victim. State-sponsored groups, such as APT29, tend to opt for a giant game, so to speak, as an advertisement and a government organization that benefits their payers the most. The non-unusual denominator was that victims were using the Safari browser on older versions of iOS (those before 16. 6. 1) at first, then Android users acting on versions M121 to M123 of the Chrome browser. It is worth noting that fixes had already been made for the vulnerabilities exploited in those attacks, however, users using unlikely versions were at risk.
The iOS feat used the same Cookies Executive Thief that had already been used in a 2012 attack, back through a Russian striker supported through the government according to Lecigne, who continued its authentication cookies such as LinkedIn, Gmail and Facebook . “In this campaign,” Lecigne said, “the attackers used LinkedIn messages to attack the government representatives of Western European countries by sending malicious ties. ” In this campaign, the attackers used a popularity of the online page compromised if the user had an inflamed iPhone or iPad before offering the genuine feat.
The Chrome campaign opposite to Android users has followed a similar model, but required “Additional Sandbox exhaust vulnerability to get out of Chrome site isolation,” Lecigne said. The isolation of the site serves as means that the attackers will have to chain a safe number of vulnerabilities to succeed, which, impossible, as shown in this attack, requires more capacities and resources. “Although the trend in the cellular area is towards complex exploitation channels,” said Lecigne, “the iOS crusade is an intelligent reminder of the fact that only vulnerability can inflict pain and succeed. “
“Cybersecurity agreements want to be agile and constantly up to date to keep up with the evolutionary risks panorama. Cebercriminal From Sonicwall, “and companies want to be able to adapt and respond temporarily to those risks. “
Organizations should certainly be looking at deploying such things as hardware-enforced browser isolation which pushes code execution away from the end user device and into a sandboxed environment. “Putting the code execution in a sandbox ensures that the user has access to the information presented on the page,” Maruyama said, “but is not exposed to malicious code presented when a less-secure government’s websites are turned into watering holes.”
In the meantime, end users deserve to make sure their devices and the apps installed on them are up to date with the newest security patches.
One Community. Many Voices. Create a free account to share your thoughts.
Our network is about connecting other people through open and considered conversations. We need our readers to prove their reviews and exchange concepts and made in a space.
To do so, stay in the publication regulations in the terms of service of our site. We have summarized some of the key regulations below. In a nutshell, keep it civil.
Your post will be rejected if we notice that it seems to contain:
User accounts will be blocked if we become aware or that users are compromised:
So how can you be a difficult user?
Thanks for reading the guidelines of our community. Read the complete list of publication regulations discovered in the terms of use of our site.