• Home
  • iOS
  • macOS
  • News
  • Recently Patched macOS Catalina Vulnerability Targeted Hong Kong Users

Recently Patched macOS Catalina Vulnerability Targeted Hong Kong Users

Recently Patched macOS Catalina Vulnerability Targeted Hong Kong Users

Google has shared details of a recently patched macOS Catalina zero-day vulnerability that allowed watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.

In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.

Impacted sites served an XNU privilege escalation vulnerability, identified as CVE-2021-30869, that was unpatched in macOS Catalina, allowing installation of a previously unreported backdoor on affected machines.

As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.

Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.

iOS Exploits

The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim’s browser. We did not manage to get a complete iOS chain this time, just a partial one where CVE-2019-8506 was used to get code execution in Safari.

macOS Exploits

The macOS exploits did not use the same framework as iOS ones. The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain.

Once root access was granted, the payload ran in the background, collecting information about a victim’s device, perform screen capture operations, download and upload files, execute terminal commands, record audio and log keystrokes.

“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” TAG says.

The flaw was patched in a late September security update.

(Via AppleInsider)