Google warns that hackers used macOS zero-day exploit to spy on Hong Kong users

News / Google warns that hackers used macOS zero-day exploit to spy on Hong Kong users

Vulnerabilities

1 MIN READ

By William MoorsNovember 15, 2021
Google warns that hackers used macOS zero-day exploit to spy on Hong Kong users

Google’s Threat Analysis Group (TAG) announced Thursday that they have been tracking a zero-day exploit in macOS. The exploit allowed hackers to utilise a “watering hole” attack to spy on macOS users in Hong Kong

The exploit (known as CVE-2021-30869) has since been patched by Apple. Google TAG states that Apple fixed the issue in September. However, TAG discovered the exploit in August, leaving users vulnerable during this time.

The attackers made use of the exploit to grant them root access to the targeted macOS device. Once granted access, attackers implemented a backdoor on the target device. The backdoor included functionality to capture victims’ keystrokes and screenshots. Apple described the issue in a security update earlier this year:

“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.”

Watering Hole Attacks

With watering hole attacks, hackers pick sites to compromise based on the profile of their targets. According to Google TAG, targets “were visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.”

Google TAG believes that the group behind the attacks may be a state-sponsored group. “Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.” 

Exploit Details

The hackers leveraged two websites in their watering hole attack. One, a Hong Kong media outlet, the other a “prominent pro-democracy labor and political group.”

According to Google TAG, the websites used in the watering hole attacks used two HTML iframes. These "served exploits from an attacker-controlled server—one for iOS and the other for macOS.”

The payloads delivered as a result of the watering hole attacks were made possible by a flaw in XNU known as CVE-2021-30869. Attackers used the exploit to elevate privilege, granting them root access to the victims’ Macs. Once they had root access, they deployed the backdoor.

The deployed backdoor included some typical trimmings usually included in malware deployments. Some features of the payload Google TAG discovered were:

  • victim device fingerprinting
  • screen capture
  • file download/upload
  • executing terminal commands
  • audio recording
  • keylogging

Previous Article

North Korean hackers found to be using a trojanised version of IDA Pro to target cybersecurity researchers

Next Article

Is ransomware the new terrorism?

How secure is

your business?

Security test

News categories

Bug Bounties(2)

Cyber Attacks(72)

Ransomware(27)

Data Breaches(27)

Vulnerabilities(30)

Most popular

TSA Implements New Cyber Security Directive

December 05, 2021Deniz Mustafa

Hundreds of thousands of Android users affected by banking trojans

December 04, 2021Nazifa Alam

Finland responds to an ‘exceptional’ malware attack

November 30, 2021Nazifa Alam

Banking apps targeted in Brazil by a revamped trojan

November 25, 2021Nazifa Alam

How secure is

your business?

Security test
logo

© 2022 by Just Get Visible Ltd

Company Registered in England & Wales: 09882516

PrivacyCookieTerms of Service
twitterfacebookinstagram