In a Google TAG report, Clement Lecigne and Josh Atkins from Google’s Threat Analysis Group, and Luke Jenkins from Mandiant, found that a group of hackers, called APT29, was behind several real-world attacks. These hackers went after people using both Android and iPhones and targeted the Apple Safari and Google Chrome browsers.1
Now, here’s what we know and how you can protect yourself and your organization from becoming their next target.
APT29’s Sneaky Cyber Tactics
On August 29, Google’s TAG report found that a Russian hacking group APT29 was using the same or very similar spyware tactics to the ones from CSVs, Intellexa, and NSO Group.
Timeline Of Exploitation. Courtesy: Google Tag Report
From November 2023 to July 2024, security experts from Google and Mandiant noticed these attacks. They were part of what’s called a “watering hole attack.” It’s just like it sounds—hackers use malicious code to compromise websites or services you trust, waiting for you to visit. It’s like setting a trap along a familiar path knowing that unsuspecting travelers will eventually walk into it.
In this Cyberattack, the hackers used commercial spyware from a Greek company called Intellexa, which is based in Cyprus. The US government had already put sanctions on Intellexa in March for “misuse of surveillance tools.”
This spyware from Intellexa has been involved in attacks in several countries, such as Ireland, Vietnam, and the US.
APT29, also known as Cozy Bear or Group 100, is believed to be a hacking group linked to Russia’s foreign spy agency, SVR. They were found using their hacking tools on Mongolian government websites showing they were trying to spy on them.
Updates To Fix Cyberattack Issues Are Now Available
The good news is that if you’ve installed the latest updates for Apple iOS, Safari, and Google Chrome, most of the issues caused by this attack have been fixed.
According to Google’s Threat Analysis Group, the issues affecting iPhone and iPad users were fixed in September 2023 with updates to iOS 16.7 and Safari 16.6.1.
For Android users and those using Google Chrome, the issues were fixed by May 2024 with Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux.
Risks of Exploits & Watering Hole Attacks
While we don’t know exactly how the suspected APT29 hackers got these exploits, the Google TAG report shows how dangerous tools from the commercial surveillance industry can end up in the hands of cybercriminals.
Watering hole attacks are still a big threat, especially on mobile devices. These attacks can be especially dangerous if people are using outdated browsers.
The researchers shared their findings to help raise awareness and improve security for everyone. They also advised end users to add any risky websites and domains to Safe Browsing for protection from further attacks.
Like the 2Secure team, the researchers strongly recommend that you and your organization “apply patches quickly and keep software fully up-to-date.”
FAQ
Why Do I Keep Getting Warnings From Google Chrome?
You might keep getting warnings from Google Chrome because it’s detecting security risks or unsafe sites. Chrome issues these warnings to protect you from phishing, malware, or other threats. Make sure your browser is updated, steer clear of suspicious sites, and consider running a security scan to keep your device safe.
What Happens If You Get A Google Or Safari Warning?
If you get a warning from Google or Safari, you should not click on the warning and stay away from the site. Follow any instructions provided to protect your device and personal information.
How Can You Stay Safe While Browsing With Google Chrome Or Safari?
To stay safe on Google Chrome or Safari, keep your browser updated, use strong passwords, and be cautious of suspicious links. Install security extensions and check for updates regularly. 2Secure advises patching software by downloading updates from the developer’s website or your system’s update feature.
Source:
- Lecigne, C. (2024, August 29). State-backed attackers and commercial surveillance vendors repeatedly use the same exploits. Google; Google. https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/