Researchers at Google’s Threat Analysis Group (TAG) caught hackers targeting Mac users in Hong Kong by exploiting zero-day system vulnerabilities. The researchers claim the attacks have the telltale signs of government-backed hackers.
In a report published on Thursday, TAG revealed that it discovered the campaign late in August this year. The hackers created a watering hole attack. The malware was hidden within legitimate websites of “a media outlet and a prominent pro-democracy labor and political group” in Hong Kong. When unwary users visited the website, their Macs were compromised by the zero-day exploit paired with another exploit. The latter used previously-patched vulnerabilities in macOS so hackers could install a backdoor on the victim’s computers.
The security researchers were able to trigger the exploits and study them by visiting the compromised websites. The sites could reportedly exploit both iOS and macOS, but the researchers could only retrieve the exploit chain for the latter. The head of TAG, Shane Huntley, told Motherboard that the zero-day exploit used by this campaign resembles an exploit discovered by cybersecurity research group Pangu Lab.
This vulnerability was presented at a security conference in China in April, a few months before the hackers used it to target Mac users in Hong Kong. The exploit still worked because it was presented as one that targeted Big Sur, but Google researchers discovered that it also worked on macOS Catalina. Because the vulnerability remained unpatched on Catalina, Google classified it as a zero-day exploit.
Addressing the question of the hackers’ identity, Huntley said, “We do not have enough technical evidence to provide attribution, and we do not speculate about attribution. However, the nature of the activity and targeting is consistent with a government-backed actor.”
Apple has since patched the macOS zero-day vulnerability in an update released on September 23 (Security Update 2021-006 for macOS Catalina). Pangu Lab and Apple did not respond to Motherboard’s request for comment.
[Via Google]