Google warns of data-stealing macOS bug
Hackers exploited the flaw to target a Hong Kong media outlet's website and pro-democracy labor and political group
Google has revealed more details relating to a macOS bug that it saw used in the wild against visitors to Hong Kong media websites.
The search giant's Threat Analysis Group (TAG) identified a watering hole attack against a media outlet's website and pro-democracy labor and political group, said Google TAG researcher Eyre Hernandez in a blog post detailing the exploit.
The watering hole attack, in which the exploit infected visitors to the website, targeted iOS and macOS devices, the company said. These used two different attack frameworks.
The macOS attack used vulnerability CVE-2021-30869, which was unpatched at the time and installed a previously unreported backdoor on Mac systems. It targeted Intel-based Macs running the Catalina version of its operating system, but Apple's latest Big Sur version features generic protections, rendering the exploit useless.
The code was sophisticated, using obfuscation techniques that forced the TAG researchers to write a script that decoded it.
The attack broke out of Safari's sandbox security mechanism and ran as root, giving it full system access. It then downloaded a payload, which Hernandez called "a product of extensive software engineering," using a publish-and-subscribe service to download different attack modules.
RELATED RESOURCE
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email security
The module TAG team saw captured user keystrokes. Other features included fingerprinting the device, capturing screenshots, and recording audio from the Mac. It also executed commands in the terminal and downloaded or uploaded files from the victim's machine.
"Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," Hernandez said.
TAG reported the vulnerability to Apple, which patched it in Catalina on September 23. However, TAG believes the exploit triggered over 200 infections when it found the attack.
Big tech companies have stopped processing data requests on users from Hong Kong following fears over human rights abuses and spying from China. Facebook also cancelled an undersea cable there in March.
-
‘Perfect’ Zero Trust is killing your mid-market productivitySponsored Security theory often collapses under real-world deadlines. It’s time for a more auditable, “human-centric” approach to privileged access management
-
Increased AI use means developers spend more time reviewing code than everNews While AI is improving productivity and efficiency, many developers are caught up in a vicious cycle of code reviews and bug hunting
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
