Threat actor went through 11 zero-days in a year

Security researchers from Google have published details on seven more in-the-wild exploits from the same expert threat actor who had in February 2020 launched attacks with three zero-day bugs.

Maddie Stone from Google's Project Zero team of security researchers said the new and unknown vulnerabilities were discovered in October last year.

They were delivered through watering hole attacks, in which threat actors work out which websites targets frequent and then compromise these.

Stone said the servers were found after Project Zero discovered that the threat actor behind the February 2020 campaign returned with a couple of dozen websites that redirected to an exploit server.

Project Zero did not disclose who was targeted in the attacks, or the domains used.

Two exploit servers were used, with web browser renderer remote code execution zero-days.

One server targetted the Safari web browser on Apple's iOS mobile operating system, as well as Google's Chrome on Windows and Android.

The second exploit server attempted to exploit Chrome and the Samsung Browser on Android.

Project Zero managed to collect one full exploit chain using Google Chrome, for fully patched Windows 10.

The security researchers were also able to gather two partial attack chains against fully patched Android 10 devices, using Google Chrime and the Samsung Browser, and a remote code execution zero-day for Apple iOS versions 11 to 13.

Stone said the seven zero-days covered a broad spectrum of bugs, exploiting vulnerabilities in the Just-In-Time (JIT) render to novel font handling flaws, and were obfuscated and time-consuming to figure out.

"Overall, each of these exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited," Stone said.