At least since August, hackers have used flaws within iOS and macOS to install malware on Apple devices visiting pro-democracy and Hong Kong-based media sites. Watering hole attacks were a broad net that placed indiscriminately a backdoor on every iPhone and Mac who visited one of the affected sites.
Apple has fixed the bugs that allowed the campaign's success. A report from Google's Threat Analysis Group on Thursday shows just how aggressive hackers were and how far their reach was. This is yet another example of attackers exploiting previously undiscovered vulnerabilities (or zero-days) in the wild. The attack was not targeted at journalists or dissidents but rather, it was a scaled-up operation by the state-backed group.
According to the TAG report, recent attacks focused specifically on hacking Hong Kong websites. It is not clear how hackers managed to compromise these sites. Once installed, the malware ran in the background on the victim's devices and could download or exfiltrate files, perform screen capturing and keylogging as well as initiate audio recording and other commands. The malware also created a "fingerprint", which can be used to identify each victim's device.
Although the macOS and iOS attacks used different methods, both combined multiple vulnerabilities to allow attackers to take control of victims' devices and install their malware. TAG could not analyze the entire iOS exploit chain but it was able to identify the Safari vulnerability used by hackers to launch the attack. The macOS version exploited a WebKit flaw and a kernel bug. All of these vulnerabilities were fixed by Apple in 2021. Pangu Lab previously presented the macOS exploit in conference talks in April and July.
Researchers emphasize that malware used to attack targets via the watering hole attack was meticulously crafted and may have been the result of extensive software engineering.
Chinese state-backed hackers have been known for using a large number of zero-day vulnerabilities in watering holes attacks. This includes campaigns to target Uighurs. Google's Project Zero in 2019 uncovered a campaign that ran for over two years. It was the first time iOS zero days were used to attack a large population, rather than individual targets. Other actors have also used the technique. Shane Huntley, Google TAG director, said that the team does not speculate about attribution and doesn't have sufficient technical evidence to attribute the attacks. He stated that the targeting and activity are consistent with a government-backed actor.
Huntley says that it is noteworthy that there are still zero-day attacks being detected and that the number of zero-days found in the wild is increasing. "Increasing our detection rate of zero-day exploits can be a positive thing. It allows us to fix those vulnerabilities and protect users. It also gives us a better picture of what is really happening so that we can make informed decisions about how to stop it."
Apple devices have been known for their security and less malware problems. However, this perception has changed as hackers have discovered and exploited more zero-day vulnerabilities in iPhones. Broad watering hole attacks have proven that attackers don't only target high-value targets. They're also open to attacking the masses on any device.
Here are more great WIRED stories