Google Caught Hackers Using a Mac Zero-Day Against Hong Kong Users

Google researchers caught hackers targeting users in Hong Kong exploiting what were at the time unknown vulnerabilities in Apple's Mac operating system. According to the researchers, the attacks have the hallmarks of government-backed hackers. From a report: On Thursday, Google's Threat Analysis Group (TAG), the company's elite team of hacker hunters, published a report detailing the hacking campaign. The researchers didn't go as far as pointing the finger at a specific hacking group or country, but they said it was "a well resourced group, likely state backed."

"We do not have enough technical evidence to provide attribution and we do not speculate about attribution," the head of TAG Shane Huntley told Motherboard in an email. "However, the nature of the activity and targeting is consistent with a government backed actor." Erye Hernandez, the Google researcher who found the hacking campaign and authored the report, wrote that TAG discovered the campaign in late August of this year. The hackers had set up a watering hole attack, meaning they hid malware within the legitimate websites of "a media outlet and a prominent pro-democracy labor and political group" in Hong Kong. Users who visited those websites would get hacked with an unknown vulnerability -- in other words, a zero-day -- and another exploit that took advantage of a previously patched vulnerability for MacOS that was used to install a backdoor on their computers, according to Hernandez.

Re:

[nonBORG]

They can evaluate the probable source of the hacks by who has motive and the cost of the method.

A 9yo kid can figure out who is most likely hacking them.

Inconceivable!

[DontBeAMoran]

macOS is supposed to be hackers-proof, a fortress of security!

Seriously though, how are we still getting freaking silent software installation on any operating system via a fucking Web browser in 2021??!

Re:

[Anonymous Coward]

Because the browser makers willed it so.

Who makes these browsers again? Oh right, google is king of the W3C hill at the moment, giving us "living standards".

That makes these "elite hacker hunters" about as believable as, oh, microsoft's antivirus team.

Re:

[CaptQuark]

Seriously though, how are we still getting freaking silent software installation on any operating system via a fucking Web browser in 2021??!

Probably because it is exploiting a flaw in an underlying system service that the browser happens to call, but it doesn't HAVE to be the browser. Read up on the double-free GIF exploit in Android and realize it could affect any app that displays GIF images or emojis. If a similar flaw was found in a common Mac library then almost any program that uses that service

China

[saywhat99]

There is a lot packed into this article. Notably, it was a chain of CVE's (with released patches) that eventually led to a 0-day regarding root escalation. The TAG tested the patched version of WebKit against this and verified the attacked was unable to begin, thus eliminating the 0-day aspect. All the while likely being a government sponsored entity given the sophistication of delivery, root escalation, and command and control. It even goes on to question why 0-days are becoming more and more exploited in the wild year over year but stops shy of actually answering that question.

The real reason is governments are either investing in discovery of 0-days themselves of purchasing them from security firms. And then there is the cost of doing business in China where the Chinese government requires that all zero day vulnerabilities be reported to itself rather than to the respective companies operating there (https://breakingdefense.com/2021/09/chinas-new-data-security-law-will-provide-it-early-notice-of-exploitable-zero-days/). If you can't fund the discovery of new vulnerabilities, just require everyone who lives or operates in China to report them to you. You know... for totally responsible stuff.

Re:

[saywhat99]

I absolutely read it. Perhaps you should re-read get off your high-horse. Here's a quote if you can't be bothered:

"The DSL’s provisions require all Chinese security researchers, Chinese businesses, and — most notably — foreign companies with a footprint inside China to report any zero-day vulnerability to the Chinese Ministry of Industry and Information Technology (MIIT) within two days of a vulnerability’s discovery. The DSL also prohibits affected entities from “collect[in

Re:

[saywhat99]

And where do you see the word require when talking about reporting to the network product provider? You don't. It only requires it be reported to the Chinese government. It absolutely does not say it's required to be reported to the network product provider. You really need to read it again, that's why I quoted the full thing.

Soft language such as this can allow for any research firm or other to simply perform the required piece, let the government make a choice about whether it truly should be reported