The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong.
Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina
The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.
The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.
ESET also attributed the attacks to an actor with strong technical capabilities. According to Felix AimĂ© from SEKOIA.IO, one of the sites used by threat actors in the attacks was a fake website targeting Hong Kong activists.Â
Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report.
“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. It’s interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented out” reads the analysis published by ESET.
Case study: Watering hole attacks