Google warns about Mac zero-day flaw used against Hong Kong users already

Threat actors created Mac vulnerability that was used for the past three months to collect keystrokes, screenshots

Google caught macOS zero-day bugThe zero-day vulnerability used in iOS and macOS spying attacks

Hackers exploited a zero-day vulnerability on macOS to attack Hong Kong users.[1] Google warns[2] users about the newly found flaw that attacked in late August and targeted websites related to a media outlet and pro-democracy labor and political group. The new backdoor was released on vulnerable machines and gathered keystrokes, screengrabs, other data. The target and techniques allow allegations that this is the work of a state-sponsored engineer team, as the report from Erye Hernandez states:

Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.

The watering hole campaign using macOS flaw exploitation was reported by Google's Threat Analysis Group, which stated that hackers targeted website visitors in Hong Kong. The flaw was previously undisclosed and allowed hackers to spy on people. The bug got patched[3] last month when the researchers found the CVE-2021-30869 vulnerability and reported it.

iOS and macOS exploits leading to remote code execution

Watering hole attack leverage exploited iOS and macOS. Attackers used a framework that helped to encrypt exploits delivered to the targeted browser. Code execution then could be launched via Safari browser on iOS. The macOS exploits used a landing page with an HTML page that loaded two scripts. The chain combined RCE and WebKit.

The attack served an XNU privilege escalation flaw – an unpatched issue in macOS Catalina that resulted in the installation of a spyware backdoor.[4] The previously disclosed vulnerability allowed the hacker to gain elevated privileges and access the targeted device. Once root access is gained, hackers can download any malware and run processes in the background of the infected machine.

The malware analysis shows the extensive software engineer work, and the backdoor used was built to spy on targets. The malware payload was designed to gather device fingerprints, screen captures, upload and download files, execute various terminal commands. Recording audio and logging keystrokes are included in the functionality. Google is not indicating the website or the particular group, but it is believed that the engineering team is state-backed due to particular media and political group relations.

Recently patched Microsoft bug in Excel can still affect Mac users

In other zero-day flaw news, Microsoft recently managed to patch the vulnerability in Excel that got used in attacks. However, macOS users are asked to wait for their updates.[5] The bug was disclosed as a remote code execution flaw that unauthenticated attackers exploited. The reports stated that for a successful attack, hackers would need to ensure that targeted users fully open the crafted Excel files, not just click or select them.

Security updates for systems running Microsoft 365 apps for Enterprise and Windows versions of MS Office and Excel got released after the report. Mac OS did not receive any patches for the same exploitable vulnerability, so Mac users were informed about the wait for the patch that is not yet determined. The updates should be released as soon as possible, but patches are not immediately available for the CVE-2021-42292 flaw on Mac devices. Keep yourself safe and make sure to keep away from any unfamiliar emails and file attachments in the form of MS documents like Word or Excel.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions