A new macOS zero-day vulnerability is being actively exploited in the wild, according to Google’s Threat Analysis Group (TAG).The vulnerability exists within the XNU kernel component of the Apple operating system, which allows a malicious application to execute arbitrary code with the highest level of privileges.
The active exploitation of this vulnerability has been seen in a watering hole attack targeting various Hong Kong websites, including a media outlet and a prominent pro-democracy labor and political group. A watering hole attack is when a threat actor compromises a website that members of their targeted audience visit frequently to gain access to the network of their victim. According to Google, it is believed that the threat actor behind this attack is very well-resourced and is likely a nation-state level actor.
The payload used as part of this attack includes common traits of malware, such as the ability to upload and download files, capture screenshots of the active screen, and execute terminal commands. It also has the capability to log keystrokes and record audio.
The zero-day is being tracked as CVE-2021-30869 and has been addressed in patches from September 23rd.