Cybersecurity researchers have identified several active exploit campaigns targeting mobile users through previously patched vulnerabilities in Apple Safari and Google Chrome browsers. Despite patches being available, these “n-day” exploits remained effective against devices that hadn’t been updated, according to a report from Clement Lecigne, a researcher at Google’s Threat Analysis Group (TAG), shared with The Hacker News.

These campaigns, occurring between November 2023 and July 2024, employed a watering hole attack on Mongolian government websites, specifically cabinet.gov[.]mn and mfa.gov[.]mn, to deliver the exploits. The attacks are believed to be linked to APT29, a Russian state-backed threat group also known as Midnight Blizzard. The tools and techniques used in these campaigns share similarities with those associated with commercial surveillance vendors like Intellexa and NSO Group, indicating a possible reuse of exploits.

The targeted vulnerabilities include:

• CVE-2023-41993: A WebKit vulnerability allowing arbitrary code execution through crafted web content, patched by Apple in iOS 16.7 and Safari 16.6.1 in September 2023.
• CVE-2024-4671: A use-after-free flaw in Chrome’s Visuals component, allowing arbitrary code execution, patched by Google in Chrome version 124.0.6367.201/.202 in May 2024.
• CVE-2024-5274: A type confusion flaw in Chrome’s V8 engine, enabling arbitrary code execution, patched by Google in Chrome version 125.0.6422.112/.113 in May 2024.

In November 2023 and February 2024, the attackers compromised the Mongolian government websites to exploit CVE-2023-41993 using a malicious iframe to deliver reconnaissance payloads to iPhone and iPad devices. These payloads validated the device and, if successful, deployed a WebKit exploit to steal browser cookies. This cookie-stealer framework, similar to one used in 2021, targeted authentication cookies from major websites like Google, Microsoft, and Apple, sending them to an attacker-controlled server. The focus on “webmail.mfa.gov[.]mn” suggests Mongolian government officials were primary targets.

In July 2024, the mfa.gov[.]mn site was compromised again, this time to target Android users with a malicious link that exploited the CVE-2024-5274 and CVE-2024-4671 flaws. This attack chain bypassed Chrome’s site isolation protections, deploying malware that stole cookies, passwords, credit card details, and browser history. The final payload also deleted Chrome crash reports and exfiltrated Chrome databases to a malicious server.

Google TAG noted that the exploits used in these attacks share code with those previously linked to Intellexa and NSO Group, raising the possibility that these nation-state actors obtained the exploits from a vulnerability broker who originally sold them as zero-days. The findings underscore the ongoing risk of watering hole attacks, which can effectively target users who visit compromised sites regularly, even on mobile devices. These attacks continue to be a potent method for deploying n-day exploits against unpatched systems.