Watering hole attacks enabled hackers to target iPhone and Mac users in Hong Kong

Watering hole attacks enabled hackers to target iPhone and Mac users in Hong Kong

Image:
Watering hole attacks enabled hackers to target iPhone and Mac users in Hong Kong

A zero-day bug in macOS Catalina allowed threat actors to install backdoors on Apple devices

Google's Threat Advisory Group (TAG) have disclosed details of a massive cyber-espionage campaign which exploited multiple vulnerabilities, including a zero-day, in iOS and macOS to target people interested in Hong Kong politics, particularly pro-democracy issues.

The researchers said they discovered watering hole attacks in August which used an exploit chain to install malware on vulnerable iOS and macOS devices visiting compromised websites of a Hong Kong media outlet and a prominent pro-democracy group.

The security vulnerabilities exploited included a zero-day, privilege escalation bug (CVE-2021-30869) which existed in macOS Catalina. This security bug affected the XNU kernel component and enabled a malicious application to execute arbitrary code with the highest privileges.

TAG promptly disclosed the bug to Apple, which released a fix for it on 23 September.

Watering hole attacks typically doesn't have a specific target and instead focus on a broad demographic, such as iPhone or Mac users curious to know about political campaigns going on in Hong Kong.

The researchers said it is unclear how threat actors compromised the websites of Hong Kong media outlet and pro-democracy group to begin with. But once installed on victim devices, the backdoor used by the attackers could identify compromised devices, conduct screen capturing, record audio, install keylogger, upload or download files, and run terminal commands as the root user.

While the iOS and macOS attacks had different approaches, both chained multiple flaws together to enable attackers to take control of victim devices and install their malware.

The macOS exploit chain involved a RCE bug in WebKit (CVE-2021-1789) and a kernel vulnerability, while the iOS version exploited a key Safari flaw (CVE-2019-8506) to launch the attack. All the bugs were addressed by Apple throughout 2021.

Based on the quality of the payload code, the researchers believe the campaign was run by a well-resourced threat group, likely state backed actor, with access to their own software engineering team.

In recent years, Chinese state-backed threat groups have been known to use many zero-days in watering hole attacks, including campaigns to target Uighurs.

In May, researchers at cybersecurity firms Check Point and Kaspersky said that Chinese-speaking hackers were targeting Uighur Muslims with fake United Nations reports and phony support organisations.

"We believe that these cyber-attacks are motivated by espionage, with the endgame of the operation being the installation of a back door into the computers of high-profile targets in the Uyghur community," said Lotem Finkelstein, head of threat intelligence at Check Point.

"The attacks are designed to fingerprint infected devices, including all of [their] running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what look like future attacks."

In March, an investigation by Facebook security staff found that Chinese hackers were targeting Uighur activists and journalists living in the United States in an attempt to spy on them.

Last year, the researchers from cyber security firm Malwarebytes said they had noticed Chinese hackers launching new attacks to hit targets in Hong Kong.