Suspected gov hackers behind 'watering hole' attacks in Hong Kong

By

Well-resourced group drops payload with quality code.

Google's Threat Analysis Group (TAG) has discovered "watering hole" attacks with malware deployed onto Hong Kong websites, including a media outlet and a prominent pro-democracy and political group.

Suspected gov hackers behind 'watering hole' attacks in Hong Kong

The malware was found in August this year and TAG found a root superuser privilege escalation exploit for the macOS Catalina operating system XNU kernel, which would attempt to download and install a backdoor on targets' computers.

Only Intel-based Macs running macOS Catalina were served a full exploit chain; later macOS versions such as Big Sur caused the exploit to crash due to Apple's generic security protections.

The code for the exploit is advanced, and highly obfuscated to make analysis more difficult.

"We believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," Erye Hernandez from Google TAG wrote.

Google TAG did not directly attribute the attacks to a particular country or hacking group.

TAG said Apple's mobile iOS operating system was also targeted by the attackers, using the Ironsquirrel framework to deliver encrypted exploits to victims' browsers, a different tactic compared to macOS.

However, TAG was not able to capture a complete iOS exploit chain, only a partial one in which a bug from 2019 was used for remote code execution in the Safari web browser.

Among the features in the backdoor were victim device fingerprinting, screen capture, file transfers, terminal command execution, audio recording and keystroke logging.

Apple patched the vulnerability in September this year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

Log In

  |  Forgot your password?