Google Security Researchers Found macOS Zero-Day

macOS bug
macOS bug

Google Threat Analysis Group (TAG) Found macOS Zero-Day.

Google researchers said they discovered a watering hole attack in late August that targeted Hong Kong websites associated with media outlets and political groups to install never-before-seen backdoors on compromised computers by exploiting a zero day in macOS operating system.

It featured the usual suspects of malware designed for eavesdropping on a target, including the ability to capture screen shots, upload files, and run terminal commands. Audio and keystrokes could be logged as well.

Apple has patched the Bug in September as CVE-2021-30869

A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild,” Apple said, crediting Google TAG researchers with reporting the flaw.

It featured the usual suspects of malware designed for eavesdropping on a target, including the ability to capture screen shots, upload files, and run terminal commands. Audio and keystrokes could be logged as well.

In the report, they detailed a highly targeted attack that leveraged both iOS and macOS exploits in order to remotely infect Apple users.

Watering Hole

The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server—one for iOS and the other for macOS.

iOS Exploits
The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim’s browser. We did not manage to get a complete iOS chain this time, just a partial one where CVE-2019-8506 was used to get code execution in Safari.

macOS Exploits
The macOS exploits did not use the same framework as iOS ones. The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain.

Remote Code Execution (RCE)

Loading a page with the WebKit RCE on the latest version of Safari (14.1), we learned the RCE was an n-day since it did not successfully trigger the exploit.

N-day or 0-day?

Before further analyzing how the exploit elevated privileges, we needed to figure out if we were dealing with an N-day or a 0-day vulnerability. An N-day is a known vulnerability with a publicly available patch. Threat actors have used N-days shortly after a patch is released to capitalize on the patching delay of their targets. In contrast, a 0-day is a vulnerability with no available patch which makes it harder to defend against.

According to security researcher Patrick Wardle, he briefly analyse the research.

Now on to the 2021 version, (cf5e…). This binary seems to directly comparable the client (recall that was found in the /Resources of the application, and launched via the SafariFlashActivityinstall bash script when the application was launched).

In Google’s report, they note that this binary (cf5e…) was downloaded and executed up successful exploitation. For purposes of analysis we can simply run it directly from the Terminal.

During this results in actions similar to those performed by the (older) client binary including:

The creation of a directory named Tools in the ~/Library/Preferences/ directory, into which it drops several custom tools (named arch, at, etc.).

The persistence of Launch Agent (or likely daemon is running as root) via the com.UserAgent.va.plist.

As the RunAtLoad key is set to true the specified binary, /Users/user/Library/Preferences/UserAgent/lib/UserAgent will be persistently executed by macOS each time the user logs in.

Also See: Apple Fixes ‘Green Tint’ Bug

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Previous Article
Robinhood App

Robinhood Hacked - Millions Customers Affected

Next Article
Cyber security Freelancers

How You Could Benefit From Hiring A Freelancer Cyber Security Company

Related Posts
Total
0
Share