IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google warns of data-stealing macOS bug

Hackers exploited the flaw to target a Hong Kong media outlet's website and pro-democracy labor and political group

Google has revealed more details relating to a macOS bug that it saw used in the wild against visitors to Hong Kong media websites. 

The search giant's Threat Analysis Group (TAG) identified a watering hole attack against a media outlet's website and pro-democracy labor and political group, said Google TAG researcher Eyre Hernandez in a blog post detailing the exploit. 

The watering hole attack, in which the exploit infected visitors to the website, targeted iOS and macOS devices, the company said. These used two different attack frameworks. 

The macOS attack used vulnerability CVE-2021-30869, which was unpatched at the time and installed a previously unreported backdoor on Mac systems. It targeted Intel-based Macs running the Catalina version of its operating system, but Apple's latest Big Sur version features generic protections, rendering the exploit useless. 

The code was sophisticated, using obfuscation techniques that forced the TAG researchers to write a script that decoded it. 

The attack broke out of Safari's sandbox security mechanism and ran as root, giving it full system access. It then downloaded a payload, which Hernandez called "a product of extensive software engineering," using a publish-and-subscribe service to download different attack modules. 

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

The module TAG team saw captured user keystrokes. Other features included fingerprinting the device, capturing screenshots, and recording audio from the Mac. It also executed commands in the terminal and downloaded or uploaded files from the victim's machine. 

"Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," Hernandez said. 

TAG reported the vulnerability to Apple, which patched it in Catalina on September 23. However, TAG believes the exploit triggered over 200 infections when it found the attack. 

Big tech companies have stopped processing data requests on users from Hong Kong following fears over human rights abuses and spying from China. Facebook also cancelled an undersea cable there in March. 

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022
What is phishing?
phishing

What is phishing?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022