Friday12 August 2022

Bug in Safari Used in Watering Hole attack on macOS devices in Asia.

Reading time is around minutes.

When you are hunting, finding out where your target frequents and laying in wait is an often-used tactic. If your information is good, you are going to have a successful hunt. The same is true in cybersecurity, both from an attacker and researcher perspective. These attacks are called watering hole attacks. You are looking for your intended target to come and “take a drink” so you can spring your trap.

This tactic is being used in Asia to target pro-democracy activists. According to initial reports several pro-democracy sites were either created or compromised for the explicit purpose installing malware that would spy on the person’s activities. The attack chain is simple, a poisoned iframe is inserted into a site. The link in the iframe checks the version of macOS checking to see if it 10.15.2 or newer. If it is then a JavaScript is run.

While the injection method is simple, the exploit for WebKit is not (Safari Versions 14.0 and older). According to the ESET researchers, the exploit they observed is around 1,000 lines of code. The payload creates two primitives to gain read/write access to memory. One leaks the address of addrof and the other to create a fake JavaScrpt. The two arrays overlap in memory so they can set a variable in one that becomes an access pointer when talking to the other. Leveraging existing functions in the way JIT (Just In Time) complied code gets enumerated the malware can move on to the next stage. The next stage of the attack is to elevate privileges to root so that the final payload can be delivered and persistence setup.

In the case of the researchers at ESET, they found a backdoor (dazzlespy) that allows a significant level of control over the target system. It maintains persistence by adding a Plist (Property List file) named to the Launcher Agents folder.

Overall, this looks like a sophisticated, yet quickly implemented campaign targeting pro-democracy individuals. The watering hole technique makes this very clear while the sophistication of the malware shows that this is potentially a technically advanced group (possible state-level). Even though this campaign did not appear to be used outside of a particular region and target group, it shows the level of control that can be gained through two distinct vulnerabilities inside macOS Fortunately, Apple has already released patches to fix the vulnerabilities used in both the WebKit exploit and the privilege exploit. If you have not patched or updated your OS, we highly recommend you do so now.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.