Russian APT29 Hackers Leverage Exploits Crafted by Commercial Spyware Vendors

August 29, 2024

The Russian APT29 hacking group, also known as 'Midnight Blizzard', has been spotted utilizing the same iOS and Android exploits crafted by commercial spyware vendors in a string of cyberattacks that occurred between November 2023 and July 2024. These findings were unearthed by Google's Threat Analysis Group (TAG). Although patches for these vulnerabilities have been released, they remain potent against devices that have not been updated.

APT29 focused its efforts on several Mongolian government websites, employing a strategy known as 'watering hole' attacks. In this type of cyberattack, a legitimate website is compromised and laden with malicious code designed to deliver payloads to visitors meeting certain criteria, such as device architecture or location.

Interestingly, the exploits used by APT29 were nearly identical to those employed by commercial surveillance-ware vendors like NSO Group and Intellexa. These vendors originally discovered and exploited these vulnerabilities when no patches were available. APT29 has a history of exploiting both zero-day and n-day vulnerabilities. In 2021, they exploited CVE-2021-1879, targeting Eastern European government officials with a cookie-stealing framework that targeted LinkedIn, Gmail, and Facebook accounts.

In November 2023, APT29 compromised Mongolian government sites 'mfa.gov.mn' and 'cabinet.gov.mn', installing a malicious iframe that delivered an exploit for CVE-2023-41993. This WebKit flaw was used by APT29 to steal browser cookies from iPhone users running iOS 16.6.1 or older. TAG reported that this exploit was the same as the one Intellexa used in September 2023, exploiting CVE-2023-41993 as a zero-day vulnerability.

In February 2024, APT29 compromised another Mongolian government website, 'mga.gov.mn', injecting a new iframe that delivered the same exploit. By July 2024, APT29 was using exploits for CVE-2024-5274 and CVE-2024-4671, which affected Google Chrome, to attack Android users visiting 'mga.gov.mn' and 'adv.com'. The aim was to steal cookies, passwords, and other sensitive data stored on the victims' Chrome browser. The exploit for CVE-2024-5274 was a slightly altered version of that used by NSO Group for zero-day exploitation in May 2024, while the exploit for CVE-2024-4671 bore many similarities to Intellexa's previous exploits.

It remains unclear how APT29 obtained access to these exploits. It seems unlikely that they independently developed their own exploits with the limited information that was publicly available following the disclosure of these vulnerabilities. Possible explanations could include APT29 hacking spyware vendors, recruiting or bribing rogue insiders working at these firms, or maintaining a collaboration either directly or via an intermediary. Regardless of how these exploits reach advanced state-backed threat groups, the fact is that they do, highlighting the urgent need to address zero-day vulnerabilities labeled as 'under limited scope exploitation' in advisories.

Related News

• Google Patches Eighth Actively Exploited Chrome Zero-Day of the Year
• CISA Includes Chrome Zero-Days in its Known Exploited Vulnerabilities Catalog
• Google Scrambles to Patch Chrome Zero-Day Vulnerabilities Allowing Sandbox Escape
• Google Chrome Rolls Out Emergency Patch for 6th Zero-Day Exploit of 2024
• CISA Incorporates Google Chromium V8 Bug into Known Exploited Vulnerabilities Catalog

Latest News

• Corona Malware Botnet Exploits Five-Year-Old Zero-Day in Discontinued AVTECH IP Cameras
• U.S. Agencies Highlight Ongoing Ransomware Attacks by Iranian Hacking Group
• Critical Infrastructure at Risk: Mirai Botnet Exploits CCTV Zero-Day Vulnerability
• Critical Atlassian Confluence Flaw Exploited for Cryptojacking
• Iranian Hackers Collaborate with Ransomware Gangs for Extortion