Google's Threat Advisory Group (TAG) has revealed that hackers used compromised websites, a variety of vulnerabilities, and sophisticated malware to gain access to iOS and macOS devices in a campaign that appeared to be loosely targeted at citizens of Hong Kong.
TAG says it "discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group" in August. This kind of attack doesn't typically have a specific target, opting instead to focus on a broad demographic, such as Apple device owners who are curious about the political goings-on in Hong Kong.
The campaign reportedly exploited a zero-day vulnerability (CVE-2021-30869) in macOS Catalina that TAG promptly disclosed to Apple, which released a patch on Sept. 23. TAG says the attack exploited several previously known vulnerabilities in the WebKit rendering engine used by Safari on iOS and macOS, too, which means the security flaws weren't completely novel.
The attackers used this exploit chain to install a backdoor on vulnerable devices that visited the compromised websites. TAG says this backdoor contained modules that could be used to identify compromised devices; record audio, capture the screen, and install a keylogger; download and upload files; and execute terminal commands as the root user.
"Based on our findings," TAG says, "we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code." (It stops just short of attributing the attack to a particular entity, however.)Update Now: Apple Patches iOS, Mac Attack That Uses Malicious PDFs to Hack DevicesGoogle Complies With Hong Kong Data Requests After Vowing Not To US Blacklists Israel's NSO Group Over Targeted Spyware
TAG's blog post includes more details about how it analyzed this campaign along with indicators of compromise that can be used to determine if a device was affected by the attack. The group says it plans to share information "surrounding another, unrelated campaign we discovered using two Chrome 0-days (CVE-2021-37973 and CVE-2021-37976)" sometime "soon."
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
Your subscription has been confirmed. Keep an eye on your inbox!