"the time of discovery. we also notified the mongolian cert to remediate the infected websites. this post will detail these campaigns, highlight the continued utility of watering hole attacks for sophisticated exploits, and demonstrate common exploit usage across government - back…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1189Drive-by Compromise
98%
"screen size, whether or not a touch screen is present, and a unique identifier per initial get request ( e. g., 1lwuzddaxoom5ylli37v90kj ). the server replies with either an aes encrypted next stage or 0, indicating that no payload is available for this device. the payload makes …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1189Drive-by Compromise
97%
"do not know how the attackers acquired these exploits. what is clear is that apt actors are using n - day exploits that were originally used as 0 - days by csvs. it should be noted that outside of common exploit usage, the recent watering hole campaigns otherwise differed in thei…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1189Drive-by Compromise
94%
". google chrome campaign at the end of july 2024, a new watering hole appeared on the mfa. gov [. ] mn website where track - adv [. ] com was re - used to deliver a google chrome exploit chain to android users. from a high - level overview, the attack and end goal are essentially…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1539Steal Web Session Cookie
93%
"they would be delivered to the targeted websites u including the authentication cookies for the targeted websites. - restore m _ universalaccess back to its original state. the cookie stealer module is targeting the following hard - coded set of websites : [ " webmail. mfa. gov. …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1189Drive-by Compromise
90%
"state - backed attackers and commercial surveillance vendors repeatedly use the same exploits state - backed attackers and commercial surveillance vendors repeatedly use the same exploits today, we ’ re sharing that google ’ s threat analysis group ( tag ) observed multiple in - …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1539Steal Web Session Cookie
88%
"older. the payload was the same cookie stealer framework that tag previously observed being used in 2021 in a suspected apt29 campaign. this is the first time it has been observed since the 2021 campaign. - february 2024 : mfa. gov [. ] mn was compromised again to include an ifra…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1539Steal Web Session Cookie
83%
"objects to escape the v8 heap sandbox, which was a known technique now fixed in chrome m127. cookie stealer payload once the chrome sandbox is escaped, a new payload is dropped into / data / data / com. android. chrome / c. so and executed via ld _ preload. normally, we would exp…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1555.003Credentials from Web Browsers
72%
"objects to escape the v8 heap sandbox, which was a known technique now fixed in chrome m127. cookie stealer payload once the chrome sandbox is escaped, a new payload is dropped into / data / data / com. android. chrome / c. so and executed via ld _ preload. normally, we would exp…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1595.002Vulnerability Scanning
53%
"indexeddb to store status information on the client side. in the ios exploit the database was named minus and in the chrome exploit the database was named tracker. - a unique identifier using the same format ( e. g., 2msa5mmjhqxpdsyb5vlcnd2t ) was generated and passed as tt = par…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1189Drive-by Compromise
36%
"the cve - 2023 - 41993 case above, here the attacker adapted nso group ’ s exploit. even though they share a very similar trigger, as seen in the screenshot below, the two exploits are conceptually different and the similarities are less obvious than the ios exploit. for example,…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
35%
"state - backed attackers and commercial surveillance vendors repeatedly use the same exploits state - backed attackers and commercial surveillance vendors repeatedly use the same exploits today, we ’ re sharing that google ’ s threat analysis group ( tag ) observed multiple in - …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1185Browser Session Hijacking
33%
"objects to escape the v8 heap sandbox, which was a known technique now fixed in chrome m127. cookie stealer payload once the chrome sandbox is escaped, a new payload is dropped into / data / data / com. android. chrome / c. so and executed via ld _ preload. normally, we would exp…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
an image of a blue square with the embedded text "Google" and "Threat Analysis Group"