I’ve been reading some more about Google Project Zero’s “In-the-Wild Series”. Yesterday there was a great article in ZDNet by Catalin Cimpanu about their recent findings which involved a sophisticated hacking scheme that daisy-chained vulnerabilities – including 0days – together (yes, think Stuxnet) from Chrome, WIndows and Android to target both WIndows and Android devices. The operation involved two exploit servers, two sets of these vulnerability chains, and watering hole attacks. Very, very clever work that is modular, flexible, efficient and designed to escape sandboxes. When you’re dealing with a highly resourced and skilled adversary, typically backed by a nation-state, you’re looking at something like this. While you probably won’t see this coming – just ask anyone caught up in the SolarWinds attack – you can apply the lessons we’ve been learning over cumulative attacks to look past the standard checklist, and what you expect to find, to go hunt for recent changes in registry keys, files renamed, and processes diverted.
Huge kudos and appreciation to the team hard at work discovering things that go bump in the night including Maddie Stone, Mark Brand, Sergei Glazunov, and @j00ru.