Google Caught Hackers Using a Mac Zero-Day Against Hong Kong Users (vice.com) 13
Google researchers caught hackers targeting users in Hong Kong exploiting what were at the time unknown vulnerabilities in Apple's Mac operating system. According to the researchers, the attacks have the hallmarks of government-backed hackers. From a report: On Thursday, Google's Threat Analysis Group (TAG), the company's elite team of hacker hunters, published a report detailing the hacking campaign. The researchers didn't go as far as pointing the finger at a specific hacking group or country, but they said it was "a well resourced group, likely state backed."
"We do not have enough technical evidence to provide attribution and we do not speculate about attribution," the head of TAG Shane Huntley told Motherboard in an email. "However, the nature of the activity and targeting is consistent with a government backed actor." Erye Hernandez, the Google researcher who found the hacking campaign and authored the report, wrote that TAG discovered the campaign in late August of this year. The hackers had set up a watering hole attack, meaning they hid malware within the legitimate websites of "a media outlet and a prominent pro-democracy labor and political group" in Hong Kong. Users who visited those websites would get hacked with an unknown vulnerability -- in other words, a zero-day -- and another exploit that took advantage of a previously patched vulnerability for MacOS that was used to install a backdoor on their computers, according to Hernandez.
"We do not have enough technical evidence to provide attribution and we do not speculate about attribution," the head of TAG Shane Huntley told Motherboard in an email. "However, the nature of the activity and targeting is consistent with a government backed actor." Erye Hernandez, the Google researcher who found the hacking campaign and authored the report, wrote that TAG discovered the campaign in late August of this year. The hackers had set up a watering hole attack, meaning they hid malware within the legitimate websites of "a media outlet and a prominent pro-democracy labor and political group" in Hong Kong. Users who visited those websites would get hacked with an unknown vulnerability -- in other words, a zero-day -- and another exploit that took advantage of a previously patched vulnerability for MacOS that was used to install a backdoor on their computers, according to Hernandez.
Re: (Score:1)
A 9yo kid can figure out who is most likely hacking them.
Inconceivable! (Score:2)
macOS is supposed to be hackers-proof, a fortress of security!
Seriously though, how are we still getting freaking silent software installation on any operating system via a fucking Web browser in 2021??!
Re: (Score:1)
Because the browser makers willed it so.
Who makes these browsers again? Oh right, google is king of the W3C hill at the moment, giving us "living standards".
That makes these "elite hacker hunters" about as believable as, oh, microsoft's antivirus team.
Re: (Score:2)
Probably because it is exploiting a flaw in an underlying system service that the browser happens to call, but it doesn't HAVE to be the browser. Read up on the double-free GIF exploit in Android and realize it could affect any app that displays GIF images or emojis. If a similar flaw was found in a common Mac library then almost any program that uses that service
China (Score:3, Insightful)
The real reason is governments are either investing in discovery of 0-days themselves of purchasing them from security firms. And then there is the cost of doing business in China where the Chinese government requires that all zero day vulnerabilities be reported to itself rather than to the respective companies operating there (https://breakingdefense.com/2021/09/chinas-new-data-security-law-will-provide-it-early-notice-of-exploitable-zero-days/). If you can't fund the discovery of new vulnerabilities, just require everyone who lives or operates in China to report them to you. You know... for totally responsible stuff.
Re: (Score:1)
"The DSL’s provisions require all Chinese security researchers, Chinese businesses, and — most notably — foreign companies with a footprint inside China to report any zero-day vulnerability to the Chinese Ministry of Industry and Information Technology (MIIT) within two days of a vulnerability’s discovery. The DSL also prohibits affected entities from “collect[in
Re: (Score:1)
Soft language such as this can allow for any research firm or other to simply perform the required piece, let the government make a choice about whether it truly should be reported