Pierluigi Paganini
November 12, 2021
Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina
The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.
The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.
The attack was discovered in late August, the nature of the targets and the level of sophistication of the attack suggests the involvement of a China-linked threat actor.
“To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.” reads the analysis published by Google. “As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.”
The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the visitor’s browser. Google researchers pointed out that they were not able to retrieve the complete iOS chain. Evidence collected demonstrated that attackers exploited the CVE-2019-8506 flaw to execute malicious code in Safari.
The macOS exploits were different from the iOS ones. Threat actors set up a landing page containing a simple HTML page loading two scripts, one for Capstone.js and another for the exploit chain.
The exploit chain used in this case combined the CVE-2021-1789 RCE in WebKit and a 0-day local privilege escalation in XNU (CVE-2021-30869) patched by Apple in Sept.
The analysis of the macOS exploits revealed the presence of a parameter used by the threat actors to record the number of exploitation attempts, this parameter had a value of roughly 200 at the time of its discovery.
The watering hole attack allowed the attackers to deliver a Mac malware (OSX.CDDS) that implements surveillance capabilities, such as capturing keystrokes, taking screenshots, fingerprinting compromised devices, uploading/downloading files, executing terminal commands, and recording audio.
It is interesting to note that the malware had a zero detection rate on VirusTotal malware analysis service at the time of analysis, a circumstance that demonstrates the level of sophistication of the attack.
Google TAG researchers shared Indicators of Compromise (IoCs) for these attacks.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, watering hole)
[adrotate banner=”5″]
[adrotate banner=”13″]
