0-day vulnerability in macOS exploited to attack visitors of Hong Kong news sites

Google analysts discovered that a group of government hackers deployed exploits to a 0-day macOS vulnerability on pro-democracy Hong Kong news sites that installed a backdoor on visitors’ computers.

Google does not associate the attackers with any particular country, only notes that the hack group is well resourced and probably supported by the state. Essentially, the hackers used a watering hole attack technique.

According to Google, the attacks began in August 2021. The exploit chain combined an RCE bug in WebKit (CVE-2021-1789, fixed January 5, 2021) with local privilege escalation in the XNU kernel component (CVE-2021-30869, fixed September 23, 2021).

Interestingly, Apple initially fixed this issue on devices running macOS Big Sur and it happened back on February 1, 2021. And only on September 23, 2021, the company released a separate update for devices based on macOS Catalina. The gap of 234 days between the two fixes only underlines the fact that vulnerabilities in different versions of the operating system can be exploited to their advantage.

It is known that in this case, the attackers used a chain of exploits to gain root access to macOS, and then downloaded and installed previously unknown MACMA or OSX.CDDS malware on victims’ machines. A detailed report on this malware can already be found in the blog of the well-known macOS security specialist Patrick Wardle.

The malware reportedly possessed traits typical of backdoors and spyware, namely:

1. collected data about the device for its subsequent identification;
2. took screenshots;
3. worked as a keylogger;
4. recorded local audio;
5. could download and upload files;
6. could execute terminal commands.

In fact, the exploit for the 0-day issue was public: it was presented by the Pangu Lab research group during a talk at zer0con21 in April 2021, as well as at the Mobile Security Conference (MOSEC) in July 2021. It is unclear when experts reported the vulnerability to Apple. It is likely that the company was simply late with the release of the patch, which allowed attackers to carry out their attacks.

Let me remind you that Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia, and also that Chinese authorities use AI to analyse emotions of Uyghur prisoners.