Spyware exploited unpatched Apple vulnerability via activist websites in Hong Kong

Visitors to well-known Hong Kong democracy and labor rights movement websites were reportedly infected with data malware on their Macs and iPhones for several weeks. A zero-day exploit was used in the XNU kernel. This is reported by Google’s Threat Analysis Group (TAG).

Apple has been slow to respond

The gap is now closed, Apple released on September 23 a special update for macOS Catalina and older versions of iOS for the XNU bug. However, the bugs have reportedly been exploited since at least August 2021, Google’s document on the TAG blog says – if not more.

According to Google, only partial details of the iOS malware are available so far. It has not been possible to identify the complete chain of infection, it is said. Apparently, an older and already fixed Safari bug was used to run the code (CVE-2019-8506). In macOS, however, the TAG was able to find out how the attack worked. It is not known who is behind this – a state actor is suspected.

Full system access

The macOS malware strain is referred to as “MACMA” or “OSX.CDDS”. It sneaks full root access to affected systems and uses a combination of a WebKit bug – but the one already fixed in January 2021 has become (CVE-2021-1789) and declared the XNU vulnerability. Spyware discovered on the devices comes with a backdoor that opens up a lot of opportunities for the attacker. According to Google, this includes taking device fingerprints, taking screenshots, uploading (and uploading) files, running terminal commands, activating an audio bug. (microphone on) and keystroke recording.

According to Google, the malware was distributed through “news media websites” in Hong Kong and a “prominent pro-democracy political group” that also advocates for workers’ rights. The TAG did not reveal what it was exactly. Interestingly, the XNU vulnerability and exploit was reportedly showcased at two security conferences in April and July 2021 – by Chinese jailbreak team Pangu Lab. It also appears to be similar to a previous XNU issue that was discovered by Google Project Zero (CVE-2020-27932) and for which an iOS exploit existed. It’s unclear why Apple didn’t respond to the April and July presentations.

(baccalaureate)