Cybersecurity researchers have identified multiple active exploit campaigns that leveraged previously patched vulnerabilities in Apple Safari and Google Chrome browsers to infect mobile devices with information-stealing malware.
“These campaigns utilized n-day exploits—vulnerabilities for which patches were available but still effective against unpatched devices,” explained Clement Lecigne, a researcher with Google’s Threat Analysis Group (TAG), in a report shared with The Hacker News.
The campaigns, which took place between November 2023 and July 2024, are particularly noteworthy for using watering hole attacks on Mongolian government websites, including cabinet.gov[.]mn and mfa.gov[.]mn, to deliver the exploits.
The attacks have been tentatively attributed to APT29 (also known as Midnight Blizzard), a Russian state-sponsored threat actor. The exploits used in these campaigns bear similarities to those previously linked to commercial surveillance vendors (CSVs) such as Intellexa and NSO Group, suggesting the possibility of exploit reuse.
The campaigns in November 2023 and February 2024 involved compromising the two Mongolian government websites to deliver an exploit for CVE-2023-41993 via a malicious iframe component linked to a domain controlled by the attackers.
According to Google, when these compromised sites were accessed using an iPhone or iPad, the iframe served a reconnaissance payload that performed validation checks before downloading and deploying a payload exploiting the WebKit vulnerability to steal browser cookies from the device.
This payload is part of a cookie-stealing framework that Google TAG previously linked to the exploitation of an iOS zero-day (CVE-2021-1879) in 2021. This framework was used to harvest authentication cookies from popular websites such as Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud, sending them via WebSocket to an attacker-controlled IP address.
Google noted that for the cookie exfiltration to be successful, the victim needed to have an active session on these websites through Safari. During the 2021 campaign, attackers used LinkedIn messaging to target government officials in Western Europe by sending them malicious links.
The focus on the website “webmail.mfa.gov[.]mn” in the cookie stealer module indicates that Mongolian government employees were likely the primary targets of the iOS campaign.
In July 2024, the mfa.gov[.]mn website was compromised a third time, with JavaScript code injected to redirect Android users on Chrome to a malicious link. This link deployed an exploit chain combining the CVE-2024-5274 and CVE-2024-4671 vulnerabilities to deliver a browser information-stealing payload.