Google warns that hackers used macOS zero-day exploit to spy on Hong Kong users

News / Google warns that hackers used macOS zero-day exploit to spy on Hong Kong users

Google warns that hackers used macOS zero-day exploit to spy on Hong Kong users

Google’s Threat Analysis Group (TAG) announced Thursday that they have been tracking a zero-day exploit in macOS. The exploit allowed hackers to utilise a “watering hole” attack to spy on macOS users in Hong Kong

The exploit (known as CVE-2021-30869) has since been patched by Apple. Google TAG states that Apple fixed the issue in September. However, TAG discovered the exploit in August, leaving users vulnerable during this time.

The attackers made use of the exploit to grant them root access to the targeted macOS device. Once granted access, attackers implemented a backdoor on the target device. The backdoor included functionality to capture victims’ keystrokes and screenshots. Apple described the issue in a security update earlier this year:

“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.”

Watering Hole Attacks

With watering hole attacks, hackers pick sites to compromise based on the profile of their targets. According to Google TAG, targets “were visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.”

Google TAG believes that the group behind the attacks may be a state-sponsored group. “Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.” 

Exploit Details

The hackers leveraged two websites in their watering hole attack. One, a Hong Kong media outlet, the other a “prominent pro-democracy labor and political group.”

According to Google TAG, the websites used in the watering hole attacks used two HTML iframes. These "served exploits from an attacker-controlled server—one for iOS and the other for macOS.”

The payloads delivered as a result of the watering hole attacks were made possible by a flaw in XNU known as CVE-2021-30869. Attackers used the exploit to elevate privilege, granting them root access to the victims’ Macs. Once they had root access, they deployed the backdoor.

The deployed backdoor included some typical trimmings usually included in malware deployments. Some features of the payload Google TAG discovered were:

  • victim device fingerprinting
  • screen capture
  • file download/upload
  • executing terminal commands
  • audio recording
  • keylogging
How secure is

your business?

Security test
How secure is

your business?

Security test