Google has shared details of a recently patched macOS Catalina zero-day vulnerability that allowed watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.
In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.
Impacted sites served an XNU privilege escalation vulnerability, identified as CVE-2021-30869, that was unpatched in macOS Catalina, allowing installation of a previously unreported backdoor on affected machines.
As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.
Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.
The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim’s browser. We did not manage to get a complete iOS chain this time, just a partial one where CVE-2019-8506 was used to get code execution in Safari.
The macOS exploits did not use the same framework as iOS ones. The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain.
Once root access was granted, the payload ran in the background, collecting information about a victim’s device, perform screen capture operations, download and upload files, execute terminal commands, record audio and log keystrokes.
“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” TAG says.
The flaw was patched in a late September security update.
(Via AppleInsider)