since at least In late August, sophisticated hackers used vulnerabilities in macOS And iOS To install malware on Apple devices that visited Hong Kong pro-democracy media and websites. So-called water hole attacks throw up a vast net, randomly placing a backdoor on any iPhone or Mac unfortunate enough to visit one of the affected pages.
Apple patched various bugs that allowed the campaign to expand. But the Report Thursday from Google’s Threat Analysis Group shows how aggressive hackers are and how broad their reach can be. It is another case of previously undisclosed vulnerabilities, or zero day, Being exploited in the wild by the attackers. Instead of a targeted attack focused on high-value targets such as journalists and dissidents, the suspected state-backed group went on a massive scale.
The recent attacks focused in particular on compromising Hong Kong sites for “a prominent pro-democracy media group and labor and political group,” according to a TAG report. It’s unclear how hackers hacked these sites to begin with. But once installed on victims’ devices, the malware they distributed runs in the background and can download files or output data, perform screen capture and keyboard recording, start audio recording, and perform other commands. It also “fingerprinted” each victim’s device to identify it.
The iOS and macOS attacks had different approaches, but both linked several vulnerabilities together so that the attackers could take control of the victims’ devices to install their malware. TAG was not able to analyze the full iOS exploit chain, but it did identify the main vulnerability in Safari that the hackers used to launch the attack. The macOS version included a WebKit vulnerability and a kernel bug. They were all patched by Apple throughout 2021, and the macOS exploit used in the attack was previously presented in conference talks in April and July by Pangu Lab.
The researchers assert that malware delivered to targets through a watering hole attack was carefully crafted and “appears to be the product of extensive software engineering.” It had a modular design, maybe different components could deploy at different times in a multi-stage attack.
State-backed Chinese hackers have been known to use a massive number of zero-day exploits in watering hole attacks, including campaigns to target Uyghurs. In 2019, Google Zero . Project Don’t forget to discover one of these campaigns That lasted more than two years, and was one of the first public examples of iOS zero days being used in attacks on a large demographic rather than specific individual targets. This technique has been used by other actors as well. Shane Huntley, director of Google TAG, says the team isn’t speculating at attribution and didn’t have enough technical evidence in this case to specifically attribute the attacks. He only added that “the activity and targeting correspond to a government-backed entity.”
“I think it’s remarkable that we are still seeing these attacks and that the numbers of zero days being found in the wild are increasing,” Huntley says. “Increasing our detection of zero-day exploits is a good thing – it allows us to fix these exploits and protect users, and it gives us a fuller picture of the exploit actually taking place so we can make informed decisions about how to prevent and fight it.”
Apple devices have always been known for strong security and fewer malware issues, but this perception has evolved as attackers discover and exploit more and more zero-day vulnerabilities in iPhones and Macs. As wide aperture attacks have shown many times now, attackers not only pursue specific, high-value targets, but are also ready to take on the masses, no matter what device they own.
More great wired stories