Hackers use macOS zero-day flaw to capture victims’ data – Google
Well-resourced state-sponsored actors are suspected in creating a macOS exploit, Google warns. Hackers likely exploited the flaw for at least three months.
Researchers at Google’s Threat Analysis Group (TAG) announced hackers targeting visitors to Hong Kong websites for a media outlet and prominent pro-democracy labor and political group.
TAG considers the hack to be a watering hole attack. ‘Watering hole’ means that a specific attack was designed for compromising users within a particular group of users by infecting websites they typically used.
The hackers exploited an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina. Apple patched the bug once TAG informed the company about it.
According to Erye Hernandez, author of the blog post about the exploit, the websites leveraged for the attacks contained two iframes that served exploits from an attacker-controlled server. One for iOS and the other for macOS.
While exploits targeting iOS users employed a framework based on Ironsquirrel to encrypt exploits delivered to the victim’s browser, macOS exploits took a different path.
The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain. The javascript starting the exploit chain checks which version of the macOS visitors were using and targeted specifically ones using Catalina.
“Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” Hernandez wrote.
According to the research, exploits could have been used for capturing victims’ keystrokes, fingerprinting, screenshots, file downloads, audio recording, and executing terminal commands.
“The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2,” Hernandez wrote.
