Google warns of hackers using macOS zero-day flaw to capture keystrokes, screengrabs

Google’s Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people. 

Apple patched the bug, tracked as CVE-2021-30869, in a macOS Catalina update in September, about a month after Google TAG researchers found it being used. 

ZDNet Recommends

“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild,” Apple said, crediting Google TAG researchers with reporting the flaw. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Now Google has provided more information, noting that this was a so-called “watering hole” attack, where attackers select websites to compromise because of the profile of typical visitors. The attacks targeted Mac and iPhone users. 

“The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server—one for iOS and the other for macOS,” said Erye Hernandez of Google TAG

The watering hole served an XNU privilege escalation vulnerability at that point unpatched in macOS Catalina, which led to the installation of a backdoor.

“We believe this threat actor

Read More: