Skip to content

Hong Kong pro-democracy site targeted by macOS 0-day watering hole attack

Google’s Threat Analysis Group discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and leading pro-democracy labour and political group. In its report on the subject, TAG suspects the attacks to be active since at least August 2021. 

The exploit uses an XNU privilege escalation vulnerability tagged as CVE-2021-30869 leading to a previously unreported backdoor installation. The vulnerability was unpatched in macOS Catalina; however, TAG has reported this issue to Apple, and a patch has been issued. 

TAG suspects this group to be state-backed, being well-resourced and having access to their software engineering team based on the quality of the payload code. 

In the News: Void Balaur’s cyber-espionage exploits targetted over 3500 entities globally


A zero-day for democracy

The attack exists of an exploit chain that, in addition to the vulnerability mentioned above, also exploited a remote code execution bug tagged as CVE-2021-1789, which was previously patched on January 5, 2021. The other vulnerability was fixed on September 23, 2021.

The attackers used this exploit chain to gain root access to macOS Catalina and install a MACMA or OSX malware strain.CDDS. This novel malware gave its operators the following abilities:

  • Ability to fingerprint devices for later identification.
  • Record local audio.
  • Download and upload files.
  • Log keystrokes.
  • Take screenshots.
  • Execute terminal commands remotely. 

In addition to the macOS vulnerability, TAG also detected that iOS users were also being targeted, although the group couldn’t identify the exploit chain in full.

The exploit had previously been made public by Pangu Lab’s research team over at zerocon21 in April 2021 and at the Mobile Security Conference in July 2021 before its deployment in the attacks starting August. However, it’s unclear whether Pangu Labs failed to report this to Apple or the Tech giant was just lazy in issuing a patch.

In addition to TAG’s report, independent macOS researcher Patrick Wardle has published a more in-depth report on the malware in his blog.

In the News: YouTube gives thumbs down to dislikes and thumbs up to creator safety

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix






No more posts to show


>