Google: Russian SVR hackers targeted LinkedIn users with Safari zero-day

Google security researchers shared more information on four security vulnerabilities, also known as zero-days, unknown before they discovered them being exploited in the wild earlier this year.

The four security flaws were found by Google Threat Analysis Group (TAG) and Google Project Zero researchers after spotting exploits abusing zero-day in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple’s Safari web browser.

The four zero-day exploits discovered by Google researchers earlier this year while being exploited in the wild targeted:

• CVE-2021-21166 and CVE-2021-30551 in Chrome,

• CVE-2021-33742 in Internet Explorer, and

• CVE-2021-1879 in WebKit (Safari).

Google also published root cause analysis for all four zero-days:

• CVE-2021-1879: Use-After-Free in QuickTimePluginReplacement
• CVE-2021-21166: Chrome Object Lifecycle Issue in Audio
• CVE-2021-30551: Chrome Type Confusion in V8
• CVE-2021-33742: Internet Explorer out-of-bounds write in MSHTML

“We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT,” Google Threat Analysis Group’s Director Shane Huntley said.

“Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020,” Google researchers added.

“While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend.”

WebKit zero-day exploited by Russian SVR hackers

While the Chrome and Internet Explorer zero-day exploits were developed and sold by the same vendor to customers worldwide who wanted to boost their surveillance capabilities, they were not used in any high-profile campaigns.

This can’t be said about the CVE-2021-1879 WebKit/Safari flaw, which, according to Google, was used via LinkedIn Messaging “to target government officials from western European countries by sending them malicious links.”

Google researchers said the attackers were part of a likely Russian government-backed actor abusing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7).

While Google didn’t link the exploit to a specific threat group, Microsoft says the culprit is Nobelium, the state-sponsored hacking group behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies.

Cybersecurity company Volexity also linked the attacks to SVR operators based on tactics previously observed in attacks going back to 2018.

The United States government formally accused the Russian Foreign Intelligence Service (aka SVR) in April of carrying out “the broad-scope cyber espionage campaign” through its hacking division commonly known as APT29, The Dukes, or Cozy Bear.

According to Google, the end goal of the attacks was to “collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP.”