Google has revealed more details relating to a macOS bug that it saw used in the wild against visitors to Hong Kong media websites.
The search giant's Threat Analysis Group (TAG) identified a watering hole attack against a media outlet's website and pro-democracy labor and political group, said Google TAG researcher Eyre Hernandez in a blog post detailing the exploit.
The watering hole attack, in which the exploit infected visitors to the website, targeted iOS and macOS devices, the company said. These used two different attack frameworks.
The macOS attack used vulnerability CVE-2021-30869, which was unpatched at the time and installed a previously unreported backdoor on Mac systems. It targeted Intel-based Macs running the Catalina version of its operating system, but Apple's latest Big Sur version features generic protections, rendering the exploit useless.
The code was sophisticated, using obfuscation techniques that forced the TAG researchers to write a script that decoded it.
The attack broke out of Safari's sandbox security mechanism and ran as root, giving it full system access. It then downloaded a payload, which Hernandez called "a product of extensive software engineering," using a publish-and-subscribe service to download different attack modules.
RELATED RESOURCE
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email security
The module TAG team saw captured user keystrokes. Other features included fingerprinting the device, capturing screenshots, and recording audio from the Mac. It also executed commands in the terminal and downloaded or uploaded files from the victim's machine.
"Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," Hernandez said.
TAG reported the vulnerability to Apple, which patched it in Catalina on September 23. However, TAG believes the exploit triggered over 200 infections when it found the attack.
Big tech companies have stopped processing data requests on users from Hong Kong following fears over human rights abuses and spying from China. Facebook also cancelled an undersea cable there in March.
-
Putting small language models under the microscopeITPro Podcast The benefits of small language models are undeniable – but they're no silver bullet
-
CyberOne appoints Microsoft’s Tracey Pretorius to its advisory boardNews The threat intelligence leader will provide strategic guidance to CyberOne’s executive team
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
Serious flaws in Microsoft apps on macOS could let hackers spy on usersNews The security firm said attackers could bypass permissions for Microsoft apps on macOS and gain privileges without verification
