From Operation Aurora to APT29: Web Browsers Killchain

Introduction

In recent years, there have been an increasing number of cases where compromising an end-user device involves accessing the target's browser. Historically, one of the first attacks of this type was Operation Aurora in 2019 (Walker, 2022). As described by Kurtz (2010):

These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.

In this case, attacking the browser was functional because it established a bridgehead in the target's network (Kurtz, 2010). Still, according to Marczak (2019), this type of attack is often used when the objective is to exfiltrate data from an end-user device, such as a mobile device, and is frequent in intelligence operations.

Considerations

Focusing on the link scenario as described by Kurtz (2010), the kill chain of the attack involves sending a link via messaging, email, or other means, using Social Engineering to push the target to click on the link (hence the term 1-click attacks), and then proceeding with browser exploitation.

As we can read from the CVE-2010-0249 it was a (NVD, 2010):

Use-after-free vulnerability [...] allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."

Taking a step back in the chain to the Reconnaissance Phase, it is important to note the use of Social Engineering to nudge the target to click, exploiting human nature by creating a specific context (Mitnick & Simon, 2003) or using domains to impersonate legitimate organizations (Scott-Railton, 2024).

The Weaponization Phase happens when the attacker prepares the link to the target, which can be done differently. It is technically useful to consider, on the one hand, the choice of domain - which should be consistent with the discourse - and, on the other hand, the potential use of vulnerabilities of a web server trusted by the target or including it in Advertising Banners, as stated Naraine (2010), quoting the Microsoft’s Advisor:

To exploit, an attacker could host a specially crafted Web site, or take advantage of a compromised website, and then convince a user to view the Web site. In all cases, however, an attacker would have no way to force users to visit these malicious Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message, that directs users to the attacker's Web site. It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems.

Then we have the Delivery Phase described by Fallow (2022), where the “evidence of attacks that take varied forms: some arrive through WhatsApp or as S.M.S. messages that seem to come from known contacts; some require a click on a link”.

Lecigne (2024) describes in detail an interesting Exploitation Phase, used in a watering hole scenario. It starts collecting information from the device using a profiling framework drawing a canvas to identify the target’s exact device model. Then, it sends back the browser information that is accessible from javascript to make sure the target is a real browser behind a real device, including screen sizes, number of CPUs, brand property from client hints, GPU information, and information from window.navigator to serve the correct exploit. The next step could be to steal the Session Cookies after disabling the Same-Origin-Policy, demonstrating that it is a useful security mechanism.

Exploits often compromise the Renderer Process (Mo, 2021b) - the process that controls anything inside the tab where a website is displayed (Kosaka, 2018) - and what happens next depends on the actor’s needs and the specific scenario. It should be needed to obtain more privileges using a SandBox Escape (SBX) to move in the Browser Process or a Local Privilege Escalation (LPE) exploit to obtain higher privileges on the system (Mo, 2021a). According to Bernhard et al. (2024), an attractive alternative to the Renderer Process is the GPU Process, as in some browsers, the GPU process uses a less strict or no sandbox.

Conclusions

A generalized browser kill chain for one-click attacks follows a structured sequence, beginning with the user clicking a weaponized URL. This triggers fingerprinting via HTML, CSS, and JavaScript, potentially leading to information leakage that tailors the attack. This demonstrates that fingerprinting is a security problem, even if it is often attributed to privacy issues.

A multi-layered defense strategy is necessary (MSRC, 2010). Users must adopt secure browsing habits; standards bodies should enhance the security of the web platform, for example, considering the riskiest functions as powerful. They must be explicitly enabled, turning 1-click into n-click; browser vendors must continuously enhance exploit mitigations.

References

Bernhard, L., Schiller, N., Schloegel, M., Bars, N., & Holz, T. (2024). DarthShader: Fuzzing WebGPU Shader Translators & Compilers. ArXiv (Cornell University), 690–704. https://doi.org/10.1145/3658644.3690209

Farrow, R. (2022, April 14). How Democracies Spy on Their Citizens. The New Yorker. https://www.newyorker.com/magazine/2022/04/25/how-democracies-spy-on-their-citizens

Kosaka, M. (2018). Inside look at modern web browser (part 1) | Blog. Chrome for Developers. https://developer.chrome.com/blog/inside-browser-part1

Kurtz, G. (2010). Operation “Aurora” Hit Google, Others by George Kurtz | Blog Central. Web.archive.org. https://web.archive.org/web/20120911141122/https://blogs.mcafee.com/corporate/cto/operation-aurora-hit-google-others

Lecigne, C. (2024, August 29). State-backed attackers and commercial surveillance vendors repeatedly use the same exploits. Google; Google. https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

Marczak, B. (2019, September 24). Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits - The Citizen Lab. The Citizen Lab. https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/

Mitnick, K. D., & Simon, W. L. (2003). The art of deception : controlling the human element of security. Wiley.

Mo, M. Y. (2021a, March 16). One day short of a full chain: Part 1 - Android Kernel arbitrary code execution. The GitHub Blog. https://github.blog/security/vulnerability-research/one-day-short-of-a-full-chain-part-1-android-kernel-arbitrary-code-execution/

Mo, M. Y. (2021b, March 24). One day short of a full chain: Part 3 - Chrome renderer RCE. The GitHub Blog. https://github.blog/security/vulnerability-research/one-day-short-of-a-full-chain-part-3-chrome-renderer-rce/

MSRC. (2010). Security Advisory 979352 Released - MSRC - Site Home - TechNet Blogs. Archive.org. https://web.archive.org/web/20121015141803/https://blogs.technet.com/b/msrc/archive/2010/01/14/security-advisory-979352.aspx

Naraine, R. (2010, January 15). Microsoft says Google was hacked with IE zero-day. ZDNET. https://www.zdnet.com/article/microsoft-says-google-was-hacked-with-ie-zero-day/

NVD. (2010). CVE - CVE-2010-0249. Cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249

Scott-Railton, J. (2024, August 14). Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe - The Citizen Lab. The Citizen Lab. https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/

Walker, K. (2022, July 19). Transparency in the shadowy world of cyberattacks. Google. https://blog.google/outreach-initiatives/public-policy/transparency-in-the-shadowy-world-of-cyberattacks/