[TheRecord] macOS zero-day deployed via Hong Kong pro-democracy news sites

A suspected state-sponsored threat actor has used Hong Kong pro-democracy news sites to deploy a macOS zero-day exploit chain that installed a backdoor on visitors’ computers.

The attacks have been taking place since at least August 2021.The exploit chain combined a remote code execution bug in WebKit (CVE-2021-1789, patched on Jan 5, 2021) with a local privilege escalation in the XNU kernel component (CVE-2021-30869, later patched on Sept 23, 2021).The attackers used the exploit chain to gain root access to the macOS operating system and download and install a malware strain named MACMA or OSX.CDDS.

This never-before-seen malware contained features specific to both backdoor and spyware strains and gave attackers the ability to:

Fingerprint devices for later identificationTake screenshots of the screenLog keystrokesRecord local audioDownload or upload filesExecute terminal commands.

The attacks using this macOS zero-day were first detected by the Google Threat Analysis Group, which reported the zero-day vulnerability to Apple to have it patched.

The Google team has released a report today detailing what they saw in the attacks. Additional details from this report also include:

iOS users were also targeted, but using a different exploit chain which Google TAG wasn’t able to recover in full.The zero-day exploit was actually public, having been presented by the Pangu Lab research team in a talk at zer0con21 in April 2021 and Mobile Security Conference (MOSEC) in July 2021, before being used in attacks in August.It’s unclear if Pangu Lab reported the vulnerability to Apple or if Apple was tardy in patching the bug, as usual, allowing the threat actors to mount their attacks based on the public information.Google TAG described the threat actor behind the attacks as a “well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.“Google did not attribute the attacks to any country nor any threat actor they saw in previous operations.

Besides Google’s report, macOS security researcher Patrick Wardle has also published an independent analysis of the MACMA (OSX.CDDS) malware on his blog, going into details beyond Google’s short analysis.

The post macOS zero-day deployed via Hong Kong pro-democracy news sites appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack

All posts, ThreatPost

The attacks are enabled by an unpatched security vulnerability in ForgeRock’s Access Management, a popular platform that front-ends web apps and remote-access setups. Source: Read More (Threatpost)

Read More

[ZDNet] Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes

All posts, ZDNet

CISA warns of risky behaviours that leave networks exposed to cyberattacks – and should be addressed immediately if employed. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Ransomware Gang Threatens Release of DC Police Records

All posts, Security Week

A Russian-speaking ransomware syndicate that stole data from the Washington, D.C., police department says negotiations over payment have broken down, with it rejecting a $100,000 payment, and it will release sensitive information that could put lives at risk if more money is not offered. read more Source: Read More (SecurityWeek RSS Feed)

Read More