Image: Chris Ratcliffe / Bloomberg via Getty Images
Chop. Disinformation. Monitoring. CYBER is Motherboard’s podcast and reports on the dark side of the internet.
Google researchers caught hackers targeting users in Hong Kong who exploited then-unknown vulnerabilities in Apple’s Mac operating system. According to the researchers, the attacks bear the signature of state-sponsored hackers.
On Thursday, Google’s Threat Analysis Group (TAG), the company’s elite team of hackers, published a report Hacker campaign details. The researchers didn’t go as far as pointing a finger at any particular hacking group or country, but they said it was “a well-resourced group that is likely to be backed by the state.”
“We don’t have enough technical evidence to make an assignment possible, and we’re not speculating about an assignment,” TAG chief Shane Huntley told Motherboard in an email. “However, the nature of the activity and the targeting are consistent with a government-backed actor.”
Erye Hernandez, the Google researcher who found the hacking campaign and wrote the report, wrote that TAG discovered the campaign at the end of August this year. The hackers had one Waterhole attackwhich means that they were hiding malware on the legitimate websites of “a media company and a prominent pro-democracy worker and political group” in Hong Kong. Users who visited these websites would be hacked with an unknown vulnerability – in other words, a Zero day– and another exploit that, according to Hernandez, took advantage of a previously patched macOS vulnerability that was used to install a backdoor on their computers.
Apple has patched the zero-day used in the campaign in an update released on September 23rd, according to the message.
Apple did not immediately respond to a request for comment.
Google researchers were able to trigger and investigate the exploits by visiting the websites compromised by the hackers. The sites served both iOS and macOS exploit chains, but the researchers could only get the macOS site. The zero-day exploit was similar to another in-the-wild vulnerability that another Google researcher analyzed in the past, according to the report.
Additionally, the zero-day exploit used in this hacking campaign is “identical” to an exploit previously found by cybersecurity research group Pangu Lab, Huntley said. The researchers at Pangu Lab presented the exploit at a security conference in China in April this year, a few months before hackers used it against Hong Kong users.
“It was presented as an exploit against Big Sur, but we found it worked for Catalina, too,” said Huntley. (Google classified this as zero-day because it wasn’t patched in Catalina, which was a supported version of MacOS at the time.)
Pangu Lab responded to a request for comment sent on Twitter.
Do you have more information about this attack? Are you tracking government hacking groups and APTs? We’d love to hear from you. You can safely contact Lorenzo Franceschi-Bicchierai at Signal at +1 917 257 1382, Wickr / Telegram / Wire @lorenzofb or by email at [email protected]
Patrick Wardle, a researcher who specializes in Apple products, reviewed Google’s research for Motherboard and analyzed the malware by downloading it from Virus Total, a Google-owned malware repository.
Wardle who develops a suite of free and open source security tools for Mac, said it is not surprising that advanced hacking groups are using Mac zero-days. According to Wardle, it is interesting that in this case the hackers combined a previously known vulnerability – also known as N-Day – with an unknown one they had received from a conference.
“The use of both N-days and apparently publicly presented zero-day highlights shows that attackers may not need to use their own zero-days to successfully infect distant targets,” Wardle told Motherboard in an online chat .
Wardle found that the software had Chinese language strings of code such as 安装 成功 (Installed Successfully) and that the Command and Control Server it was connected to was in Hong Kong.
“Based on a variety of factors such as targeting approach and victims (” Hong Kong website visitors for a media company and a prominent pro-democracy union and political group “), methods of exploitation, C&C server metadata, and indicators that from the implant (like Chinese strings) there are only plausible answers as to who is behind it: China or someone who would like to look very similar to the Chinese, ”said Wardle. “Although both are of course possible, the former is much more likely.”
There has already been one case where government hackers repurposed exploits presented at a Chinese security conference.
In 2017, hackers working for the Chinese secret service used an exploit presented at a popular hacking competition to target Uyghurs, the oppressed Muslim minority in China. MIT technology assessment revealed earlier this year.
This latest report from TAG shows that technology and cybersecurity companies are once again experiencing an unprecedented number of zero days in the wild. Apple, Microsoft, and a few other patch bugs believed to be exploited in the wild at a higher rate than in recent years. According to a current count this year 80 zero-days were caught in the wild. To put that number in context, there were only 25 zero-days exploited by hackers last year before companies had a chance to fix the bugs. according to Googlethat tracks the use of zero days.
That’s not necessarily bad news.
“Then why do we see more? [zero-days] 2021? ”Wardle previously said Motherboard. “I would suspect that there are either improved insights and detection functions for the use of such zero-days or that their use is really becoming more productive.”
Subscribe to our cybersecurity podcast, CYBER. Subscribe to something our new Twitch channel.