Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom?

Google’s Project Zero revealed a novel, complex, well-engineered campaign of targeted attacks. It sounds like another one of those “nation-state” attacks that researchers love to bang on about. But was it?

It all happened about a year ago. So why are they only talking about it now?

There are more questions than answers. In today’s SB Blogwatch, we fill in the blanks.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A Driver’s Last Hello.

Project Zero Keeps Schtum

What’s the craic? Catalin Cimpanu reports—“Google reveals sophisticated Windows and Android hacking operation”:

 The attacks were carried out via two exploit servers delivering different exploit chains via watering hole attacks. … Both exploit servers used Google Chrome vulnerabilities to gain an initial foothold. … Once an initial entry point was established in the user’s browsers, attackers deployed an OS-level exploit to gain more control of the victim’s devices.

Overall, Google described the exploit chains as “designed for efficiency & flexibility [using] well-engineered, complex code with a variety of novel exploitation methods.” … But Google stopped short of providing any other details about the attackers or the type of victims.

A nation-state, perhaps? Dan Goodin adds—“Not your average hackers”:

 Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). … It does show above-average skill by a professional team of hackers.

The attackers obtained remote code execution by exploiting the Chrome zero-day and several recently patched Chrome vulnerabilities. All of the zero-days were used against Windows users. None of the attack chains targeting Android devices exploited zero-days, but the Project Zero researchers said it’s likely the attackers had Android zero-days at their disposal.

Says who? Google’s anonymous Project Zero gnomes blog thuswise—“In-the-Wild”:

  Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits…