Patched macOS Catalina vulnerability targeted Hong Kong users

In late August, Google's Threat Advisory Group (TAG) discovered a watering hole attack that appeared to target people interested in Hong Kong politics, particularly pro-democracy issues. This particular attack vector does not seek to pinpoint users, but instead relies on techniques to push vulnerabilities to a wider audience.

Impacted sites served an XNU privilege escalation vulnerability, identified as CVE-2021-30869, that was unpatched in macOS Catalina, allowing installation of a previously unreported backdoor on affected machines.

Chains of known iOS and macOS exploits were deployed in the attack. In the case of macOS, the javascript which started the exploit chain checked whether a visiting system was running macOS Mojave or Catalina before ultimately delivering a payload that escaped Safari's sandbox. TAG received a full, non-encrypted exploit chain when visiting the site with Catalina, but only observed a partial exploit when using Mojave.

Once root access was granted, the payload ran in the background to collect information about a victim's device, perform screen capture operations, download and upload files, execute terminal commands, record audio and log keystrokes.

"Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," TAG says.

Apple patched the flaw in a security update released in late September.