Hackers Used macOS Zero-Day Against Hong Kong Users in Watering Hole Attacks

NSO Pegasus spyware reportedly found on high-ranking Palestinian diplomats' phones, FBI issues warning about Iranian hackers, Israel removes LGBTQ website from internet for faulty security, more

In yet another example of zero-day vulnerabilities exploited in the wild by attackers, in late August 2021, Google’s Threat Analysis Group (TAG) discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and prominent pro-democracy labor and political group.

The websites leveraged for the attacks contained two iframes that served exploits from an attacker-controlled server, one for iOS and another for macOS. The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim's browser. The landing page contained a simple HTML page loading two scripts for the macOS exploit, one for Capstone.js and another for the exploit chain.

Both attacks chained multiple vulnerabilities together so attackers could take control of victim devices to install their malware. The macOS version involved the exploitation of a WebKit vulnerability and a kernel bug.

In both attacks, the distributed malware ran in the background and could dow…