The Russian-backed advanced persistent threat group Midnight Blizzard has been employing iOS and Android exploits developed by commercial spyware vendors in a series of cyberattacks from November 2023 to July 2024.
According to reports, the researchers addressed the n-day holes, which made the exploits possible, but the attackers remain active since most devices have yet to adopt the patch. The researchers explained that the APT29, known as “Midnight Blizzard”, used “watering hole” methods to target various Mongolian government websites.
A watering hole tactic is a cyberattack in which a legitimate website is infected with malicious code designed to send payloads to visitors who fulfil specified criteria, such as device architecture or location.
In addition, Google TAG notes that APT29 exploits were nearly identical to those used by commercial surveillance-ware providers like NSO Group and Intellexa, who built and exploited bugs as zero days when no update was available.
Midnight Blizzard has been on a tear for the past few years.
Investigations into the Midnight Blizzard activity revealed that it has been exploiting zero-day and n-day vulnerabilities for its attacks for the past years.
In 2021, this Russian APT group used CVE-2021-1879 as a zero-day to target government officials in Eastern Europe. The group sought to deliver a cookie-stealing malware that stole LinkedIn, Google, and Facebook accounts.
In November last year, the group breached the Mongolian government websites ‘mfa.gov[.]mn’ and ‘cabinet.gov[.]mn,’ allowing them to deploy a malicious iframe that released an exploit for the CVE-2023-41993 vulnerability.
This vulnerability is an iOS WebKit flaw that APT29 exploited to harvest browser cookies from iPhone users running iOS 16.6.1 and older. TAG noted that this exploit was identical to the one employed by Intellexa in September 2023, when it used CVE-2023-41993, a zero-day vulnerability at the time.
Furthermore, last month, the group used exploits for CVE-2024-5274 and CVE-2024-4671, which impacts Google Chrome, allowing them to attack Android users visiting ’mga.gov[.]mn’. Midnight Blizzard aimed to steal cookies, passwords, and other sensitive information saved in the victims’ Chrome browser.
APT29 has proven to be a massive threat to Android and iOS users. Users of these devices should be cautious about their devices’ safety and online presence to avoid falling victim to this ongoing threat.
Source Credit: https://izoologic.com/