MacOS Zero-Day Used against Hong Kong Activists
Google researchers discovered a MacOS zero-day exploit being used against Hong Kong activists. It was a “watering hole” attack, which means the malware was hidden in a legitimate website. Users visiting that website would get infected.
From an article:
Google’s researchers were able to trigger the exploits and study them by visiting the websites compromised by the hackers. The sites served both iOS and MacOS exploit chains, but the researchers were only able to retrieve the MacOS one. The zero-day exploit was similar to another in-the-wild vulnerability analyzed by another Google researcher in the past, according to the report.
In addition, the zero-day exploit used in this hacking campaign is “identical” to an exploit previously found by cybersecurity research group Pangu Lab, Huntley said. Pangu Lab’s researchers presented the exploit at a security conference in China in April of this year, a few months before hackers used it against Hong Kong users.
The exploit was discovered in August. Apple patched the vulnerability in September. China is, of course, the obvious suspect, given the victims.
EDITED TO ADD (11/15): Another story.
Clive Robinson • November 12, 2021 11:45 AM
@ Bruce,
Yes but one oddity,
Why use a publicly known vulnarability?
At the very least it is likely to get fairly quickly patched.
But there is also the “bluff, double bluff” aspect.
Using the “zero-day” exploit in the hacking campaign against Hong Kong activists, is shall we say “a little obvious”.
After a few moments thought it will be realised that the exploit was not realy a “zero-day” because of that “security conference in China” where it was presented. So it would have been “Known” to all the major SigInt and other IC entities very very shortly there after if not a little before (or even a lot before).
We know the CIA has “False Flag Operation” tools that can make any malware look like it has come from somewhere else because of the daft way attribution is decided in the US. It is also a fair assumption that all the Super-Powers, all Western, first-world, and quite a few second-world and corporate entities have such tools as well, and just about anyone else who grabed a copy of that CIA tool set and could re-engineer it.
So the code could have come from anywhere.
Which begs a whole bunch of questions, one of which is,
1, Was it a false flag operation that was ment to be found, look like China, thus China gets blaimed / embarrassed.
We know it’s possible like we also know there is a very long que of entities that would gain from such an operation. Nearly all nations around the South China seas where China is extending it’s sphere of influence would be at the front of that que.
But…
2, Was it China giving it’s self “plausable deniability”.
That is use it assuming it will be found but giving themselves lots of finger pointing room…
The fact is that “atribution” without real “boots on the ground” HumInt is at best more miss than hit.
For instance the world mostly saw stuxnet as an attack on Iran, even though there was clear evidence at the time it was aimed at the Far East, especially North Korea. Some identified it as such even before the North Koreans made it abundantly clear they had significant reason to believe they were the target. The various organisations who examined the code all fell into line that it was aimed at Iran. Eventually it came out that yes for the US the target of stuxnet was North Korea. For some of us “no surprises there”.
Speaking of which, the South Korean Olympics. We know that both the NSA and CIA are all over a host nations telecommunications, even if the host nation does not in any way “want such help”. So South Korea would have been effectively “owned by them”, yet a major cyber-attack happened… The US just “knee jerk” attributed it to North Korea, even though North Korea was on the frendliest of terms with South Korea for many years. I guess it realy astounded the Russian’s who had carried out the attacks quite overtly to send a message to the IOA over Russia being baned due to “dopping scandles”…
So it the alledged experts realy can not do attribution so badly, it leaves open so many opportunities for bluff and double bluff etc.
Whilst I would not in the slitest rule China out, I would role quite a few nations in as well, and quite a few of those low life corporations.
In fact, I would not be surprised to hear eventually it was someone like the NSO Group or other Israeli “Cyber-weapons-4-All” shop, or similar backed by UK “seed money” organisation.
As normall we need mor information to evaluate / analyse, which we don’t realy have.