05.23.2022 12:05 pm

Like lions in the savannah: A watering hole attack on macs

By Candid Wüst

“Watering hole attacks” are among the most perfidious of attack strategies: Like lions at a watering hole on the African savannah, cyber-criminals hide behind pages previously infected with malware that are visited frequently or are highly likely to be visited by the target group of the attack. The particular risk of this type of attack is that it is extremely difficult to trace and the websites prepared for the visitors are almost impossible to detect or stop: simply visiting them is sufficient to be infected with the damaging software. If a computer infected by these means is then identified as belonging to a target using previously defined criteria, the destruction starts.

In addition to attacks on such companies as Facebook or Microsoft, it is frequently politically unpopular groups or institutions like NGOs that are the focus of watering hole attacks. Instead of attacking their usually well-protected systems directly, they analyse where the supporters or members of the relevant organisations are found on the network to take advantage at that very spot. As the knowledge and resources required for this type of attack are substantial, it is frequently state or state-sponsored participants that use them.


With “DazzleSpy” against democracy
A watering hole attack against supporters of the Hong Kong democracy movement that has become known recently is striking in several respects:

  • It is aimed in a targeted manner at macOS and Safari users
  • It gives the attackers complete control and monitoring of the infected Macs using screen and audio recordings, file down- and uploads, key-logging and executing terminal commands
  • The back-door malware used is purely Mac-specific and has been named “DazzleSpy”; it has been completely redeveloped using the highest technical effort and finances
  • It uses a macOS weakness that enables attackers to execute malware with administrator rights seconds after simply visiting an infected website, such as a well-known democracy-friendly radio station


With Acronis Cyber Protect against “DazzleSpy”
“One-click” attacks like these that do not require any user interaction at all to become infected with malware that in the worst case scenario gives the attackers complete control of the device are barely noticeable for users and as stated above are difficult to prevent. But they can be registered and suppressed by a solution that is able, using artificial intelligence and behaviour-based detection technologies, to recognise and dismantle even to date unknown malware variants and exploit chains: Acronis Cyber Protect.

Even “DazzleSpy” has no chance against this single solution that integrates cyber security, data protection and administration functions in one user interface.

Unfortunately it must be assumed that an unknown number of Hong Kong democracy activists have already been highlighted precisely by the initiators of the attack. Even if Apple has now patched the weaknesses exploited by this attack, unprotected and already infected “DazzleSpy” victims will surely be subject to other reprisals.


Warning Notice
Candid Wüest

About the author
Candid Wüest works as VP Cyber Protection Research at Acronis and analyses the security situation on the internet. He advises companies and governments on IT security issues. He previously worked for over 16 years as the Lead Threat Researcher in the global Symantec Security Response Team. He has a Master’s in Information Technology from ETH Zurich and various patents.

All Acronis products at a glance »