Commercial Spyware Vendors Have a Copycat in Top Russian APT

Russias Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.

Multiple exploit campaigns linked to a Russian-backed threat actor (variously known as APT29, Cozy Bear, and
Midnight Blizzard)
were discovered delivering n-day mobile exploits that commercial spyware vendors have used before.
According to Googles Threat Analysis Group (TAG), the exploit campaigns were delivered from a
watering hole attack
on Mongolian government websites, and each one is identical to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and
NSO Group
. That suggests, as the researchers at Google TAG note, that the authors and/or providers are the same.
In the watering-hole attacks, threat actors infected two websites, cabinet.gov[.]mn and mfa.gov[.]mn, which belong to Mongolias Cabinet and Ministry of Foreign Affairs. They then injected code to exploit known flaws in iOS and Chrome on Android, with the ultimate goal of hijacking website visitors devices.
The campaigns popped up on three separate occasions, one of which occurred at the end of last year, and the latest just a month ago. Two of the campaigns delivered an iOS exploit through a vulnerability tracked as CVE-2023-41993 that recently had been patched, but not before being exploited by
Intellexa
and NSO Group.
We do not know how the attackers acquired these exploits,
said the researchers
. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs. It should be noted that outside of common exploit usage, the recent watering hole campaigns otherwise differed in their approaches to delivery and second-stage objectives.
The researchers go on to add that though there are still outstanding questions as to how the exploits were acquired, this does highlight how
exploits developed first by the commercial surveillance industry
become even more of a threat as threat actors come across them.

Last News
▸ Google and Facebook reassure U.K.: No snooping. ◂ Discovered: 26/12/2024 Category: security	▸ New startup offers human verification process. ◂ Discovered: 26/12/2024 Category: security	▸ Top 5 Data Breaches in Spring 2013. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Commercial Spyware Vendors Have a Copycat in Top Russian APT