Hackers are still using vulnerabilities in the seven-year-old Internet Explorer 11 browser to go after targets, even as Microsoft plans to sunset the program in less than a year, researchers at Google’s Threat Analysis Group reported Wednesday.
The campaign largely targeted victims in Armenia. In April and June cybercriminals targeted Armenian users with the exploit, researchers found.
“This exploit was delivered via an Office document rather than via the Internet Explorer browser [graphical user interface],” explained Shane Huntley, director of Google’s Threat Analysis Group. “Even if a user was to uninstall Internet Explorer, the exploit would still work.”
Microsoft fixed the exploit in June.
The same surveillance group also cashed in with two vulnerabilities in Chrome over the past several months. They sent the exploits via email with links posing as legitimate websites. The links sent users targets to attacker-controlled domains that fingerprinted a user’s device and allowed hackers to determine if they would send the exploit. The vulnerability existed in code shared with Apple’s browser engine WebKit, making Safari also vulnerable. Apple fixed the vulnerability and it doesn’t appear any Safari users were affected.
A Citizen Lab report on Thursday tied the spyware to Candiru, an Israel-based spyware company the sells to governments. A related Microsoft investigation found at least 100 victims of the company’s spyware across countries including Palestine, Israel, Iran, the United Kingdom. Targets of the spyware included journalists, activists, politicians, dissidents and human rights workers.
In an unrelated campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. The hackers exploited a vulnerability in Safari to conduct the campaign.
Google believes the hackers behind the Safari zero-day are the same Russian hackers as those behind a widespread phishing campaign impersonating USAID employees reported by Microsoft in May. The campaigns are unrelated.
The four exploits comprise part of the major uptick of in-the-wild zero-day attacks Google researchers have identified this year. Just halfway into 2021 there have been 33 publicly disclosed zero-day exploits, 11 more than the total for all of 2020.
Researchers speculate the shift could be the result of increased detection and disclosure from vendors like Apple and Google. But it could also be in part to the growing commercial availability of zero-days, once the tool of select nation-states with major hacking expertise. The majority of exploits discovered by Google’s Threat Analysis Group in 2021 were developed and sold by commercial providers to government-backed cybercriminal groups, researchers noted.
“Attackers needing more [zero-day] exploits to maintain their capabilities is a good thing — and it reflects increased cost to the attackers from security measures that close known vulnerabilities,” Threat Analysis Group researchers Maddie Stone and Clement Lecigne wrote in a blog post. “However, the increasing demand for these capabilities and the ecosystem that supplies them is more of a challenge.”
Updated 7/16/2021: This story was updated with additional information on the spyware vendor responsible for the Microsoft and Chrome vulnerabilities.