Google warns hackers used macOS zero-day flaw, could capture keystrokes, screengrabs

Discussion in 'Headline News' started by RickAgresta, Nov 12, 2021.

  1. RickAgresta

    RickAgresta General Peanut, leader of the Peanutty Forces

    Likes Received:
    Trophy Points:
    Google's Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people.

    Apple patched the bug, tracked as CVE-2021-30869, in a macOS Catalina update in September, about a month after Google TAG researchers found it being used.

    "A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild," Apple said, crediting Google TAG researchers with reporting the flaw.

    Now Google has provided more information, noting that this was a so-called "watering hole" attack, where attackers select websites to compromise because of the profile of typical visitors. The attacks targeted Mac and iPhone users.

    "The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server—one for iOS and the other for macOS," said Erye Hernandez of Google TAG.

    The watering hole served an XNU privilege escalation vulnerability at that point unpatched in macOS Catalina, which led to the installation of a backdoor.

    "We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," he added.

    The attackers were using the previously disclosed flaw in XNU, tracked as CVE-2020-27932, and a related exploit to create an elevation of privilege bug that gave them root access on a targeted Mac.

    Once root access was gained, the attackers downloaded a payload that ran silently in the background on infected Macs. The design of the malware suggests a well-resourced attacker, according to Google TAG.

    "The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules," notes Hernandez.

    lelisa13p, scjjtt and Hook like this.
  2. Hook

    Hook Have keyboard, will travel

    Likes Received:
    Trophy Points:
    Why can't they ever write this stuff in English? :vbrolleyes:
    RickAgresta, lelisa13p and scjjtt like this.

Share This Page