Google LLC’s Threat Analysis Group revealed on Thursday that hackers have used a zero-day flaw in Apple Inc.’s macOS operating system to launch cyberattacks.

“In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group,” Google researcher Erye Hernandez wrote in a blog post. “The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.”

A zero-day flaw is a software vulnerability that is unknown to the cybersecurity community and for which there is no readily available patch. The one discovered by Google was used to launch so-called watering hole attacks, or cyberattacks that target users through malicious websites. The cyberattacks were carried out as part of a hacking campaign that targeted not only macOS devices, but also iOS handsets through a separate set of vulnerabilities different from the zero-day macOS flaw. 

“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” Hernandez wrote.

The version of macOS containing the flaw, macOS Catalina, launched in 2019. The subsequent version of Apple’s operating system, the macOS Big Sur release that debuted in 2020, appears to be unaffected by the vulnerability based on Google’s testing,” Hernandez wrote. The testing indicated that “Apple added generic protections in Big Sur which rendered this exploit useless.”

According to Google, the cyberattacks used the zero-day macOS flaw in concert with another vulnerability affecting WebKit, the web browser engine that powers Apple’s Safari browser and other popular applications. After bypassing macOS cybersecurity defenses, the malware installed a backdoor. The backdoor includes features that can be used by the hackers to create a unique “fingerprint” of an infected device for malicious purposes, take screenshots, log keystrokes, record audio, download and upload files and run terminal commands to modify software settings.

The watering hole hacking campaign discovered by Google targeted not only macOS machines but also iOS  devices. Google’s Threat Analysis Group “was not able to analyze the full iOS exploit chain,” Wired reported, meaning only partial information has been uncovered about how the version of the cyberattack that targeted iOS devices works. But the search giant did uncover the key vulnerability used to launch the cyberattack: Google determined that the vulnerability is in Apple’s Safari browser. 

Google reported its discovery to Apple prior to the publication of the blog post in which the cyberattacks were detailed. Apple issued a patch for macOS Catalina to fix the zero-day flaw on Sept. 23. The second vulnerability used in the macOS cyberattacks, which affected the WebKit browser engine, was patched prior to Google’s discovery.  

Photo: Unsplash