Google’s Threat Analysis Group discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and leading pro-democracy labour and political group. In its report on the subject, TAG suspects the attacks to be active since at least August 2021.
The exploit uses an XNU privilege escalation vulnerability tagged as CVE-2021-30869 leading to a previously unreported backdoor installation. The vulnerability was unpatched in macOS Catalina; however, TAG has reported this issue to Apple, and a patch has been issued.
TAG suspects this group to be state-backed, being well-resourced and having access to their software engineering team based on the quality of the payload code.
A zero-day for democracy
The attack exists of an exploit chain that, in addition to the vulnerability mentioned above, also exploited a remote code execution bug tagged as CVE-2021-1789, which was previously patched on January 5, 2021. The other vulnerability was fixed on September 23, 2021.
The attackers used this exploit chain to gain root access to macOS Catalina and install a MACMA or OSX malware strain.CDDS. This novel malware gave its operators the following abilities:
- Ability to fingerprint devices for later identification.
- Record local audio.
- Download and upload files.
- Log keystrokes.
- Take screenshots.
- Execute terminal commands remotely.
In addition to the macOS vulnerability, TAG also detected that iOS users were also being targeted, although the group couldn’t identify the exploit chain in full.
The exploit had previously been made public by Pangu Lab’s research team over at zerocon21 in April 2021 and at the Mobile Security Conference in July 2021 before its deployment in the attacks starting August. However, it’s unclear whether Pangu Labs failed to report this to Apple or the Tech giant was just lazy in issuing a patch.
In addition to TAG’s report, independent macOS researcher Patrick Wardle has published a more in-depth report on the malware in his blog.