Google’s Threat Analysis Group has uncovered that Russian government-backed APT29 hackers targetting Mongolian government websites using exploits strikingly similar to those developed by commercial spyware companies Intellexa and NSO Group
The attack is a type of watering hole attack that happened between November 2023 and July 2024, which compromised the cabinet.govmn and mfa.govmn websites to deliver malicious payloads hidden within iframes to unsuspecting visitors. These iframes redirected unsuspecting visitors to attacker-controlled websites, where the exploits were deployed. to steal user data, including cookies, from iOS and Android devices.
The similarity between the exploits used by APT29 and those previously used by Intellexa(Greece surveillance)and NSO Group (Isreal spyware). This suggests that APT29 may have acquired these exploits from the commercial spyware market.
However, the vulnerabilities targeted in these attacks had already been patched, and the attackers exploited them in a way that affected unpatched devices. Here’s how the attackers targeted iOS and Android devices:
The first phase of the attack involved delivering an iOS WebKit exploit affecting iPhones running versions older than 16.6.1. This exploit, identical to one previously used by Intellexa, allowed the attackers to steal browser cookies from targeted devices. APT29 exploited a vulnerability tracked as CVE-2023-41993. The exploit delivered a cookie stealer payload capable of stealing authentication cookies from various websites, including Gmail, LinkedIn, and Facebook.
Later attackers shifted their focus to Android users, exploiting a chain of vulnerabilities in Google Chrome to steal sensitive data like login credentials, including cookies, passwords, browsing history, and saved credit cards.
The Android attacks targeted Chrome users running versions m121 to m123. The attackers chained two previously unknown vulnerabilities tracked as CVE-2024-5274 and CVE-2024-4671 to escape Chrome’s sandbox.
Google has added the identified websites and domains to its Safe Browsing service, notified the Apple and Google Chrome teams about the vulnerabilities, and informed the Mongolian CERT to help remediate the compromised websites.
