Google Details Active Campaign Abusing Now-Patched macOS Zero-Day

A team of researchers working with Google's Threat Analysis Group informed of a targeted malicious campaign that was focused on several Hong Kong websites, targeting visitors on them through a zero-day vulnerability in macOS.

The good news is that the bug has now been patched out by Apple. The flaw was tracked and codified under the CVE-2021-30869 designator and it was assigned a severity score of 7.8.

The Google team reported the bug to Apple who duly fixed it in a September 2021 macOS update to the Catalina version of the operating system. In their report, Apple said that the flaw allowed malicious applications to "execute arbitrary code with kernel privileges". The information on the bug in the National Vulnerability Database describes it as a "type confusion".

Now that an adequate amount of time has passed since the flaw had been patched, Google's researchers revealed additional information about the attack.

The attack relied on inserting two browser iframes inside a web page, one designed to work on iOS and the other on macOS. Both frames pulled exploits from a server operated by the bad actors behind the attacks.

After analyzing the payload and finding out it was highly sophisticated, Google also stated that it was likely the handiwork of a team of very highly skilled, likely state-backed actors.

The threat actors used a combination of a vulnerability and an exploit, which together allowed them to gain elevated privileges and eventually handed them root access to the victim's Mac system.

Once root access was obtained, the hackers would quietly download and deploy the final payload, which would sit on the victim system undetected, spying on the user's activity.

The research published on the attack did not specifically name the websites that were targeted in the attack but did mention that among them were a political group and a media outlet in Hong Kong.

November 12, 2021