Google warns of data-stealing macOS bug
Hackers exploited the flaw to target a Hong Kong media outlet's website and pro-democracy labor and political group
The search giant's Threat Analysis Group (TAG) identified a watering hole attack against a media outlet's website and pro-democracy labor and political group, said Google TAG researcher Eyre Hernandez in a blog post detailing the exploit.
The watering hole attack, in which the exploit infected visitors to the website, targeted iOS and macOS devices, the company said. These used two different attack frameworks.
The macOS attack used vulnerability CVE-2021-30869, which was unpatched at the time and installed a previously unreported backdoor on Mac systems. It targeted Intel-based Macs running the Catalina version of its operating system, but Apple's latest Big Sur version features generic protections, rendering the exploit useless.
The code was sophisticated, using obfuscation techniques that forced the TAG researchers to write a script that decoded it.
The attack broke out of Safari's sandbox security mechanism and ran as root, giving it full system access. It then downloaded a payload, which Hernandez called "a product of extensive software engineering," using a publish-and-subscribe service to download different attack modules.
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityFree download
The module TAG team saw captured user keystrokes. Other features included fingerprinting the device, capturing screenshots, and recording audio from the Mac. It also executed commands in the terminal and downloaded or uploaded files from the victim's machine.
"Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," Hernandez said.
Big tech companies have stopped processing data requests on users from Hong Kong following fears over human rights abuses and spying from China. Facebook also cancelled an undersea cable there in March.
The challenge of securing the remote working employee
The IT Pro Guide to Sase and successful digital transformationFree Download
VMware Cloud workload migration tools
Cloud migration types, phases, and strategiesFree download
Practices for maximising the business value of digital infrastructure Consumption-as- a-Service subscriptions
IDC PeerScapeFree Download
Container network security guide for dummies
Enforcing Kubernetes best practicesFree download