One server targeted Windows users while the other targeted Android, said Project Zero, one of Google’s security teams that has recently launched its own initiative aimed at researching new ways to detect Zero-Day exploits in the wild.
“We discovered two exploit servers delivering different exploit chains via watering hole attacks,” Google said in an update on Tuesday.
“Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days”.
Based on the actor’s sophistication, Google think it’s likely that they had access to Android 0-days, but it didn’t discover any in its analysis.
A watering hole attack is where an attacker observes which websites an organisation or people often use and infects one or more of them with malware.
“We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known,” Google said.
Overall, Google described the exploit chains as “designed for efficiency & flexibility through their modularity.”
“They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,” the company elaborated.
“We believe that teams of experts have designed and developed these exploit chains.”