An exploit for the zero-day vulnerability has been available since April 2021, but Apple only fixed it in September.
Government-funded hackers used political news sites in Hong Kong to infect macOS computers with a backdoor by exploiting a bundle of two vulnerabilities, including one previously unknown. The attacks began at least in August 2021.
The first in the bundle is a remote code execution vulnerability in WebKit (CVE-2021-1789, fixed on January 5, 2021), and the second is a local privilege escalation vulnerability in the XNU kernel component (CVE-2021-30869, fixed on September 23, 2021).
With their help, attackers obtained superuser privileges on the attacked macOS and downloaded and then installed MACMA or OSX.CDDS malware on it.
This never-before-seen malware has both backdoor and spyware features and allows you to:
According to the Google TAG report, the cybercriminals also attacked users of iOS devices, but with the help of a different bundle of vulnerabilities that experts cannot yet disclose.
The exploit for the zero-day vulnerability has been in the public domain since April 2021, when it was presented by researchers from the Pangu Lab at the zer0con21 conference. It was also presented at the Mobile Security Conference (MOSEC) in July.
Whether the Pangu Lab specialists reported the vulnerability to Apple, and the company simply did not release a fix for a long time, is unknown.
Researchers at Google TAG described the hackers behind the attacks as "a well-funded group, likely working for the government, and, judging by the quality of the code, with access to their own team of software engineers."
Experts did not attribute the attacks to any particular state or well-known cybercriminal groups.

Government-funded hackers used political news sites in Hong Kong to infect macOS computers with a backdoor by exploiting a bundle of two vulnerabilities, including one previously unknown. The attacks began at least in August 2021.
The first in the bundle is a remote code execution vulnerability in WebKit (CVE-2021-1789, fixed on January 5, 2021), and the second is a local privilege escalation vulnerability in the XNU kernel component (CVE-2021-30869, fixed on September 23, 2021).
With their help, attackers obtained superuser privileges on the attacked macOS and downloaded and then installed MACMA or OSX.CDDS malware on it.
This never-before-seen malware has both backdoor and spyware features and allows you to:
- Create a fingerprint of the device for its identification in the future;
- Take screenshots;
- Record keystrokes on the keyboard;
- Record audio;
- Upload and download files;
- Execute terminal commands.
According to the Google TAG report, the cybercriminals also attacked users of iOS devices, but with the help of a different bundle of vulnerabilities that experts cannot yet disclose.
The exploit for the zero-day vulnerability has been in the public domain since April 2021, when it was presented by researchers from the Pangu Lab at the zer0con21 conference. It was also presented at the Mobile Security Conference (MOSEC) in July.
Whether the Pangu Lab specialists reported the vulnerability to Apple, and the company simply did not release a fix for a long time, is unknown.
Researchers at Google TAG described the hackers behind the attacks as "a well-funded group, likely working for the government, and, judging by the quality of the code, with access to their own team of software engineers."
Experts did not attribute the attacks to any particular state or well-known cybercriminal groups.