Attacks that exploit zero day vulnerabilities are magnets for attention and headlines but they are relatively rare and make up a tiny percentage of the overall attack landscape. When those attacks are identified, however, they can provide valuable insights for researchers and security teams about attackers’ tactics and targets of choice.
A number of the large technology companies and smaller independent firms have teams that spend their time specifically looking for exploits against zero days, and Google’s Threat Analysis Group is one of the more active teams in that cohort. The TAG regularly discovers and discloses new vulnerabilities in a variety of applications, including Google’s own Chrome browser and Android mobile operating system. In 2019, TAG came across an unusual pattern of attacks from one adversary that included the use of exploits against several zero days.
“Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities. Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues,” Toni Gidwani, security engineering manager for TAG, said in a post.
"We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program."
The flaws that this attacker was exploiting included bugs in Internet Explorer, Chrome, Android, and Windows, all of which are prime targets for attackers as they’re all widely deployed. This kind of activity is the hallmark of a state-backed adversary, one with extensive resources, financial backing, technical talent, and time to scope targets and develop tools and exploits. Attackers at that level tend to focus on specific, rather than random, targets and employ a variety of tactics, from the highly sophisticated to the banal.
If attacks exploiting zero days are at the top of that pyramid, phishing would be toward the bottom. But that doesn’t mean phishing is not effective; it absolutely is. And that means attackers will continue to use it, even high-level groups. Google’s TAG also spends a considerable amount of time researching phishing attacks and developing new mitigations and defenses against them. Google has several levels of defense against phishing campaigns, especially those that come from state actors. For the last few years the company has had a system that sends people a warning if Google detects a government-backed phishing or malware attack on their accounts. Google also created its Advanced Protection Program a few years ago, which provides a high level of defense against many attacks, including phishing, with the use of hardware security keys for two-factor authentication.
“In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018. One reason for this decline is that our new protections are working—attackers' efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt,” Gidwani said.
“In 2019, one in five accounts that received a warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target. We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted.”