© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Hackers use macOS zero-day flaw to capture victims’ data - Google


Well-resourced state-sponsored actors are suspected in creating a macOS exploit, Google warns. Hackers likely exploited the flaw for at least three months.

Researchers at Google’s Threat Analysis Group (TAG) announced hackers targeting visitors to Hong Kong websites for a media outlet and prominent pro-democracy labor and political group.

TAG considers the hack to be a watering hole attack. ‘Watering hole’ means that a specific attack was designed for compromising users within a particular group of users by infecting websites they typically used.

The hackers exploited an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina. Apple patched the bug once TAG informed the company about it.

According to Erye Hernandez, author of the blog post about the exploit, the websites leveraged for the attacks contained two iframes that served exploits from an attacker-controlled server. One for iOS and the other for macOS.

While exploits targeting iOS users employed a framework based on Ironsquirrel to encrypt exploits delivered to the victim’s browser, macOS exploits took a different path.

The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain. The javascript starting the exploit chain checks which version of the macOS visitors were using and targeted specifically ones using Catalina.

“Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” Hernandez wrote.

According to the research, exploits could have been used for capturing victims’ keystrokes, fingerprinting, screenshots, file downloads, audio recording, and executing terminal commands.

“The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2,” Hernandez wrote.


More from CyberNews

Social engineering is an emotional game: here's what you need to know

Don’t fall for it: new scam tries to convince your Microsoft password is about to expire

Here’s how attackers can make unauthorized purchases with your locked iPhone

Here’s where VPN usage has surged in the last 18 months

'Call me back': manipulative attackers leverage Windows 10 to push malware

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked