Security News > 2021 > November > Hackers Exploit macOS Zero-Day to Hack Hong Kong Users with new Implant

Google researchers on Thursday disclosed that it found a watering hole attack in late August exploiting a now-parched zero-day in macOS operating system and targeting Hong Kong websites related to a media outlet and a prominent pro-democracy labor and political group to deliver a never-before-seen backdoor on compromised machines.

"Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," Google Threat Analysis Group researcher Erye Hernandez said in a report.

Tracked as CVE-2021-30869, the security shortcoming concerns a type confusion vulnerability affecting the XNU kernel component that could cause a malicious application to execute arbitrary code with the highest privileges.

The attacks observed by TAG involved an exploit chain that strung together CVE-2021-1789, a remote code execution bug in WebKit that was fixed in February 2021, and the aforementioned CVE-2021-30869 to break out of the Safari sandbox, elevate privileges, and download and execute a second stage payload dubbed "MACMA" from a remote server.

The websites, which contained malicious code to serve exploits from an attacker-controlled server, also acted as a watering hole to target iOS users, albeit using a different exploit chain delivered to the victims' browser.

Google TAG said it was only able to recover a part of the infection flow, where a type confusion bug was used to gain code execution in Safari.

News URL

https://thehackernews.com/2021/11/hackers-exploit-macos-zero-day-to-hack.html