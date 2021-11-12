



Image: Chris Latcliffe / Bloomberg via Getty Images

Google researchers have exploited an unknown vulnerability in Apple’s Mac operating system at the time to catch hackers targeting Hong Kong users. According to researchers, the attack is characterized by government-sponsored hackers.

On Thursday, Google’s Threat Analysis Group (TAG), an elite team of hacker hunters, released a report detailing the hacking campaign. The researchers didn’t go as far as pointing to a particular hacking group or country, but said it was “a well-resourced group, probably with state support.”

“We don’t have enough technical evidence to provide attribution and we don’t speculate about attribution,” the head of TAG Shane Huntley told Motherboard by email. “But the nature of activity and targeting is consistent with government-sponsored actors.”

Google researcher Erie Hernandez, who found and reported on the hacking campaign, wrote that TAG discovered the campaign in late August of this year. The hacker was launching a watering hole attack. That is, it hid the malware within the legitimate websites of Hong Kong’s “media outlets and prominent Labor and political parties that drive democratization.” According to Hernandez, users who visit these websites are exposed to an unknown vulnerability (that is, a zero-day) and a previously patched vulnerability in the Mac OS used to install a backdoor on their computer. It will be hacked by another exploit you used.

According to the report, Apple has patched the zero-day used in the campaign in the update pushed on September 23.

Apple didn’t immediately respond to requests for comment.

Google researchers were able to trigger and investigate exploits by visiting websites compromised by hackers. These sites supported both iOS and MacOS exploit chains, but researchers could only get MacOS exploit chains. According to the report, the zero-day exploit was similar to another real vulnerability analyzed by another Google researcher in the past.

In addition, the zero-day exploit used in this hacking campaign is “identical” to the exploit previously discovered by the cybersecurity research group Pangu Lab, Huntley said. Researchers at Pangu Lab unveiled the exploit at a security conference in China in April this year, months before hackers used it for users in Hong Kong.

“It was presented as an exploit targeting Big Sur, but we’ve found it to work with Catalina,” Huntley said. (Google categorized this as a zero-day because it wasn’t patched on Catalina, the supported Mac OS version at the time.)

Pangu Lab has responded to requests for comments sent via Twitter.

Patrick Wardle, a researcher specializing in Apple products, reviewed Google’s research on Motherboard and downloaded and analyzed malware from Google’s own malware repository, VirusTotal.

Wardle, who develops a suite of free open source security tools for the Mac, said it’s not surprising to see advanced hacking groups using the Mac in zero-day attacks. Interestingly, in this case, the hacker combined a previously known vulnerability (also known as N-day) with an unknown vulnerability obtained from the conference.

“By leveraging both N-day and what appears to be a public zero-day, attackers may not need to use their own zero-day to infect remote targets,” Wardle said in an online chat. I told Motherboard.

Wardle discovered that the software contained a Chinese code string, such as an attachment (successful installation), and that the command and control server to connect to was in Hong Kong.

A Chinese string contained in the malware analyzed by Wardle. (Image: Patrick Wardle)

“Targeting approaches and victims (“Hong Kong website visitors for media outlets, prominent democratic movements and political groups ”), exploitation methods, C & C server metadata, and indicators extracted from It is based on various factors. Implants (such as Chinese laces) have only a plausible answer as to who is behind this. Someone who wants to be very similar to China, or the Chinese, “Wardle said. “Of course both are possible, but the former is much more likely.”

There have already been cases of government hackers reusing exploits announced at a security conference in China.

In 2017, hackers working for Chinese intelligence used exploits announced at a well-known hacking contest to target Uighurs, a minority of oppressed Muslims in China, the MIT Technology Review said this year. I made it clear at the beginning.

This latest report by TAG shows that tech and cybersecurity companies are catching an unprecedented number of zero-day attacks in the wild. Apple, Microsoft, and a few others have patched bugs that are believed to have been exploited at a higher rate than in the last few years. According to recent counts, there have been 80 zero-day attacks this year. According to Google, which tracks the use of zero-days, last year, applying this number to context, there were only 25 days of zero-days being exploited by hackers before companies patched bugs. ..

This is not necessarily bad news.

“So why are we looking more? [zero-days] In 2021? Wardle told Motherboard earlier. “I presume that insights and detection capabilities regarding such zero-day use have been improved, or simply that their use is actually higher.”

