Researchers at Google Threat Analysis Group (TAG) have revealed a report detailing how a group of threat actors managed to spy on visitors to certain websites in Hong Kong using a critical zero-day vulnerability in macOS. Tracked as CVE-2021-30869, the flaw was fixed in macOS Catalina a couple of months ago.
In its report, Google notes that these attacks are part of a watering hole campaign, in which threat actors select specific websites to extract information from visitors: “The compromised websites had two iframes used as exploits for iOS and for macOS,” TAG notes.
Attackers abused the zero-day vulnerability to install a backdoor on Apple devices through the compromised websites. Investigators believe that the hacking group responsible for this campaign has extensive technological and economic resources at its disposal, so it is likely that they are being sponsored by a state actor.
After gaining root access to the affected platform, the attackers download a payload running in the background on the infected devices. By analyzing a sample of the end-stage malware, the experts concluded that it is a development resulting from the most advanced software engineering, using a model based on Data Distribution Service (DDS) to establish C&C communications.
The backdoor used by hackers is also somewhat unusual, as it allowed to spy on targets in a very detailed way, plus attackers were able to obtain logs of the affected system, take screenshots, record audio and video, execute terminal commands and the ability to upload and download files.
Although the researchers did not explicitly mention which websites are compromised in this hacking campaign, they point out that among the targets is a major media outlet in Hong Kong and a pro-democracy activist group, so the origin of this attack is intuit in the Chinese authorities.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.