Google has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed zero-day flaw in macOS to spy on people.
Google’s Threat Advisory Group (TAG) has revealed that thed hackers used compromised websites, a variety of vulnerabilities, and sophisticated malware to gain access to iOS and macOS devices in a campaign that appeared to be loosely targeted at citizens of Hong Kong.
TAG says it “discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group” in August. This kind of attack doesn’t typically have a specific target, opting instead to focus on a broad demographic, such as Apple device owners who are curious about the political goings-on in Hong Kong.
“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” Google TAG researcher Erye Hernandez said.
The backdoor enabled the attackers to carry out audio recording, execute terminal commands, file downloads and uploads, keylogging, screen capture, and victim device fingerprinting.
TAG said Apple’s mobile iOS operating system was targeted by the attackers, using the Ironsquirrel framework to deliver encrypted exploits to victims’ browsers, a different tactic compared to macOS.
However, TAG was not able to capture a complete iOS exploit chain, only a partial one in which a bug from 2019 was used for remote code execution in the Safari web browser.
The hackers relied on a previously known vulnerability in macOS Catalina to set up the backdoor, Google said. Apple patched the zero-day flaw on September 23.