Get in Touch
0-day in macOS used to deploy spyware as part of a watering hole campaign against website visitors in Hong Kong
Google’s Threat Analysis Group (TAG) have reported a campaign targeting visitors to pro democracy and news websites in Hong Kong. The threat actor, which Google says is likely to be state-backed, used 2 different exploit chains targeting macOS and iOS to install spyware on victims’ machines.
The macOS exploit chain used a WebKit exploit (CVE-2021-1789) patched in January and a XNU exploit (CVE-2021-30869) patched in September (and reported previously).
The iOS exploit chain was encrypted with the IRONSQUIRREL framework, meaning TAG were unable to analyse it fully but an exploit for CVE-2019-8506 (patched in iOS 12.2) was observed.
Vulnerable visitors to the websites would have their devices infected with malware which could carry out the following:
– Record audio
– Log Keystrokes
– Device fingerprint
– Access Screen captures
– The ability to upload and download files
– Carry out terminal commands
macOS Mojave (10.14) or Catalina (10.15)
iOS < 12.2
Indicators of Compromise
Sandbox escape / LPE
cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)
A watering hole campaign is a way of targeting a group of victims by infecting a website that those people are known to visit.
The delivery URLs for this campaign reference Amnesty International, a human rights organisation which recently announced the closure of their Hong Kong office, citing security concerns.
Pro-democracy activists in Hong Kong have previously been targeted by the state as they protest against stronger national security laws.
T1189 – Drive-by Compromise [watering hole attack]
T1014 – Rootkit
Analyzing a watering hole campaign using macOS exploits
About the security content of iOS 14.4 and iPadOS 14.4
About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave
About the security content of iOS 12.5.5
About the security content of Security Update 2021-006 Catalina