A new macOS zero-day vulnerability is being actively exploited in the wild, according to Google’s Threat Analysis Group (TAG).The vulnerability exists within the XNU kernel component of the Apple operating system, which allows a malicious application to execute arbitrary code with the highest level of privileges.
The active exploitation of this vulnerability has been seen in a watering hole attack targeting various Hong Kong websites, including a media outlet and a prominent pro-democracy labor and political group. A watering hole attack is when a threat actor compromises a website that members of their targeted audience visit frequently to gain access to the network of their victim. According to Google, it is believed that the threat actor behind this attack is very well-resourced and is likely a nation-state level actor.
The payload used as part of this attack includes common traits of malware, such as the ability to upload and download files, capture screenshots of the active screen, and execute terminal commands. It also has the capability to log keystrokes and record audio.
The zero-day is being tracked as CVE-2021-30869 and has been addressed in patches from September 23rd.
Individuals and organizations are advised to apply the patch to any affected systems as soon as possible. The exploitation seen here also strings together multiple vulnerabilities to achieve final execution, so maintaining a consistent patch cycle is important to ensure all aspects of an attack can be mitigated. Likewise, the malware payload used in this active attack utilize common tactics and techniques seen by threat actors. Diligent monitoring of device behavior can help detect potential infections or otherwise anomalous behavior. Binary Defense’s Managed Detection and Response service is a great asset to assist with helping make sure devices across a network are not infected with any type of malware.