A reminder, as if one was needed, that cyber security is not a static problem that we are anywhere near fixing. A determined, well-resourced attack will just about always be able to succeed…:
[…] Chinese state-backed hackers have been known to use an extravagant number of zero-day vulnerabilities in watering hole attacks, including campaigns to target Uighurs. In 2019, Google’s Project Zero memorably unearthed one such campaign that had gone on for more than two years, and was one of the first public examples of iOS zero days being used in attacks on a broad population rather than specific, individual targets. The technique has been used by other actors as well. Shane Huntley, director of Google TAG, says that the team doesn’t speculate about attribution and didn’t have enough technical evidence in this case to specifically attribute the attacks. He added only that “the activity and targeting is consistent with a government-backed actor.”
“I do think it is notable that we are still seeing these attacks and the numbers of zero-days being found in the wild are increasing,” says Huntley. “Increasing our detection of zero-day exploits is a good thing—it allows us to get those vulnerabilities fixed and protect users, and gives us a fuller picture of the exploitation that is actually happening so we can make more informed decisions on how to prevent and fight it.”
Apple devices have long had a reputation for strong security and fewer problems with malware, but this perception has evolved as attackers have found and exploited more and more zero-day vulnerabilities in iPhones and Macs. As broad watering hole attacks have shown many times now, attackers aren’t just going after specific, high-value targets—they’re ready to take on the masses, no matter what device they own.