Jan 25 2022

Sophisticated attackers used DazzleSpy macOS backdoor in watering hole attacks

Category: BackdoorDISC @ 9:59 am

The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong.

Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina

The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.

The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.

ESET also attributed the attacks to an actor with strong technical capabilities. According to Felix Aimé from SEKOIA.IO, one of the sites used by threat actors in the attacks was a fake website targeting Hong Kong activists. 

Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report.

DazzleSpy backdoor watering hole

“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. It’s interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented out” reads the analysis published by ESET.

Case study: Watering hole attacks

Tags: watering hole attacks


Apr 11 2021

Google’s Project Zero Finds a Nation-State Zero-Day Operation

Category: Zero day,Zero trustDISC @ 9:44 am

Google’s Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”:

The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.

Zero Days

Review: 'Zero Days' Examines Cyberwarfare's Potential Online Apocalypse -  The New York Times

The Stuxnet virus cyber-attack launched by the U.S. and Israel unleashed malware with unforeseen consequences. Delve deep into the burgeoning world of digital warfare in this documentary thriller from Academy Award® winning filmmaker Alex Gibney.

Tags: Stuxnet, watering hole attacks