Apple fixed a zero-day vulnerability in September after being notified that attackers had used the security issue in macOS Catalina — along with a previously known vulnerability — to compromise visitors to the website of a “prominent pro-democracy group” and a media outlet in Hong Kong, Google said in an analysis of the attack published on Nov. 11.
Google’s Threat Analysis Group (TAG) detected the attack in late August 2021, which used two iframes — website elements that load code from a different server — to serve exploits to computers running macOS and devices running iOS. Watering-hole campaigns compromise legitimate sites that are known to attract specific classes of users, in hopes of infecting the computers of intended victims.
Google’s TAG did not attribute the attack, but the characteristics of the attack suggest a strong link to China.
“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” Erye Hernandez, a security engineer with Google’s Threat Analysis Group (TAG), stated in the blog post.
Watering-hole attacks are a favored technique of China’s cyber-espionage operations. In 2015, an attack with links to China compromised the website of a well-known aerospace firm in an attempt to infect visitors with a common Trojan horse program. In 2018, an attack linked to the Chinese group Emissary Panda infected one Asian country’s data center in an attempt to “gain access to a wide range of government resources.” In 2020, another malware distribution campaign, which security firm Kaspersky dubbed Holy Water, co-opted legitimate websites to infect members of certain Asian religious and ethnic groups.
“A watering hole is a targeted attack strategy in which cyber criminals compromise websites that are considered to be fertile ground for potential victims, and wait for the planted malware to end up on their computers,” Kaspersky researchers stated. “In order to be exposed to the malware, a user needs to simply visit a compromised website, which makes this type of attack easy to spread and thus more dangerous.”
The latest attack used a type confusion issue in the XNU kernel (CVE-2021-30869), which powers the Darwin operating system that underlies Apple’s macOS. Apple fixed the flaw on Sept. 23, saying, “A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.”
The attackers combined the exploit with another issue that allowed remote compromises via WebKit, which is the foundation of the Safari browser. The maintainers of WebKit fixed that issue in January.
A successful compromise leads to the download of an obfuscated binary that, when decrypted, installs a backdoor as a payload. The backdoor uses a publish-subscribe mechanism for communicating with the command-and-control server and has a module architecture, which includes code to capture keystrokes. In addition, the backdoor fingerprints that victim’s device, can take screen shots, download and upload files, run terminal command, and record audio.
“The payload seems to be a product of extensive software engineering,” Hernandez wrote in the Google TAG blog post. “There are also other functionalities built-in to the components, which were not directly accessed from the binaries included in the payload but may be used by additional stages which can be downloaded onto the victim’s machine.”
Flaw Isolated to Intel-based Machines Running Catalina
The zero-day vulnerability only affects Intel-based computers running the 2-year-old macOS Catalina operating system and which have still not been patched. MacOS Catalina launched in September 2019 and was replaced by macOS Big Sur in September 2020 and macOS Monterey in September 2021. However, a significant number of Mac systems apparently continue to run the older operating system. In October 2021, about 11% of systems encountered by major websites ran macOS, and about half of those run Catalina (macOS 10.15), according to data from NetMarketShare.
Watering-hole attacks highlight the need for quick patching — not just on behalf of individual users, but also by website administrators. In the past, vulnerable Web servers have been the targets of mass exploitation, including, for example, the compromise of more than a million WordPress sites by a group that later used the servers for distributed denial-of-service attacks.