How can we help?
Google’s Threat Analysis Group (TAG) have reported a campaign targeting visitors to pro democracy and news websites in Hong Kong. The threat actor, which Google says is likely to be state-backed, used 2 different exploit chains targeting macOS and iOS to install spyware on victims’ machines.
Vulnerable visitors to the websites would have their devices infected with malware which could carry out the following:
– Record audio
– Log Keystrokes
– Device fingerprint
– Access Screen captures
– The ability to upload and download files
– Carry out terminal commands
macOS Mojave (10.14) or Catalina (10.15)
iOS < 12.2
Indicators of Compromise
Sandbox escape / LPE
cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)
A watering hole campaign is a way of targeting a group of victims by infecting a website that those people are known to visit.
The delivery URLs for this campaign reference Amnesty International, a human rights organisation which recently announced the closure of their Hong Kong office, citing security concerns.
Pro-democracy activists in Hong Kong have previously been targeted by the state as they protest against stronger national security laws.
T1189 – Drive-by Compromise [watering hole attack]
T1014 – Rootkit