Google on Thursday shared details of a recently patched macOS Catalina vulnerability that targeted users visiting the websites of a Hong Kong media outlet and a pro-democracy group.
In late August, Google's Threat Advisory Group (TAG) discovered a watering hole attack that appeared to target people interested in Hong Kong politics, particularly pro-democracy issues. This particular attack vector does not seek to pinpoint users, but instead relies on techniques to push vulnerabilities to a wider audience.
Impacted sites served an XNU privilege escalation vulnerability, identified as CVE-2021-30869, that was unpatched in macOS Catalina, allowing installation of a previously unreported backdoor on affected machines.
Once root access was granted, the payload ran in the background to collect information about a victim's device, perform screen capture operations, download and upload files, execute terminal commands, record audio and log keystrokes.
"Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," TAG says.
Apple patched the flaw in a security update released in late September.