Skip to main content
Tag

MacOS

|

MacOS Zero-Day Exploited in Malware Attacks

By News, Patch ManagementNo Comments

MacOS Zero-Day Exploited in Malware Attacks

A MacOS zero-day was used to take unauthorized screenshots of an end user’s active session to harvest sensitive information.

MacOS Vulnerability Used to Target Developers

On Monday, Apple released macOS 11.4 which included a patch for the macOS vulnerability CVE-2021-30713.  This CVE was used to take unauthorized screenshots of an end user’s active session to harvest sensitive information.

The exploit was found by researchers at Jamf through the dissection of the XCSSET malware which employs this vulnerability. XCSSET was first caught in the wild between June and July of last year, and functions as a trojan spyware. Trojans are a type of malware which masquerade as authentic software (and generally do provide utility to the victim) but perform a malicious action on the end user’s computer. The XCSSET trojan is a purpose build malware used to exfiltrate data and user information.

How Does the MacOS Exploit Work?

CVE-2021-30713 relies on a previously unknown vulnerability in the MacOS operating system. Apple requires software packages to undergo an approval check by the end user or an administrator prior to initializing.

This process is called Transparency Consent and Control (TCC) protection. As part of the approval process, an alert is sent to the user, communicating the types of permissions which the software wants.

Below is an example of the Security & Privacy panel in MacOS, where various permissions and privacy settings are configured. As shown, each application on the computer has an individual permission setting for screen recording.

In CVE-2021-30713, the Trojan application does not appear in this list. Nor does it prompt the end user or administrator for approval before it captures content from the end user. Instead, it silently activates and begins collecting data to report back to the orchestrators of the attack.

CVE-2021-30713 bypasses the security checks in MacOS by piggybacking the permissions of a currently approved software and masquerading as that application at the time of execution. Specifically, the exploit uses an AppleScript module named “screen_sim.applescript” to capture the list of currently approved screen capturing applications.

Then, the malware creates an additional AppleScript which it injects into the approved application. Using the inherited permissions from the approved application, XCSSET is then able to perform restricted actions on the endpoint. Data which XCSSET collects is then exfiltrated to a command-and-control server hosted by the attackers.

Further analyses by the researchers revealed that the scope of permissions compromised by XCSSET were not limited to just screen capturing, and that XCSSET could also infect browsers to collect sensitive information from online accounts.

The Malware

The XCSSET Trojan has been found using unverified Xcode plugins as it’s transportation and appears to be targeted at the software development industry. When an unsuspecting programmer installs an infected Xcode plugin with the XCSSET malware imbedded, the malware then deploys itself to the device.

During that deployment, XCSSET uses CVE-2021-30713 to bypass the TCC authorization process and enable its monitoring process. Although XCSSET has only been found in Xcode plugins, because of how XCSSET is architected, any maliciously modified application can be used to deploy XCSSET. Therefore, it is not safe to assume that the malware can only be deployed through Xcode plugins.

At the time of writing, there have been around 400 documented endpoints infected by XCSSET. While this number is small, there are multiple contingent factors which elevate the risk posed by XCSSET. First, the malware has been used to explicitly target developers, which in turn raises questions about the overall safety of the software development supply chain.

Secondly, the 380 reported devices impacted by XCSSET are simply that, the reported devices. The total impact of XCSSET is still totally unknown, and many researchers expect the impact to be significantly larger. At the time of writing, one of the three command-and-control domains used by XCSSET are no longer active. The other two are set to expire later this year.

How to Resolve the Vulnerability

On Monday, Apple released MacOS 11.4. This version of MacOS improves on the current list of supported graphics cards, provides multiple feature updates, and most critically, resolves the CVE-2021-30713 vulnerability, among others. While this update comes 9 – 10 months after the vulnerability was first weaponized, Apple provided limited protection against this vulnerability as early as July 14th, 2020 (The first non-verified positive report of the vulnerability was on June 13th, 2020).  Their protection checked against Xcode projects for signatures consistent with the XCSSET malware. With the advent of MacOS 11.4, not only is the XCSSET malware less sticky in the MacOS ecosystem, but its primary method of exploitation is now invalidated.

How Syxsense Can Help

Syxsense Secure provides an expansive vulnerability library which we scan against. All MacOS devices under management with Syxsense Secure are monitored in real time for vulnerabilities just like (and including) CVE-2021-30713. If any critical vulnerability is detected, an automated notification alerts your security operations team of the threat.

Additionally, Syxsense Secure also provides integration with Apple’s update service to deliver critical updates to your Apple devices on a schedule you choose. With Syxsense Cortex (included in Syxsense Secure), vulnerability scanning, alerting, and patching can all be combined into a smart, fully automated workflow.

Syxsense Score

CVSS Score: 5.5/10

Weaponized: True

Attack Vector: Local

Attach Complexity: Low

Privileges Required: Low

User Interaction: None

Scope (Jump Point): No

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

Dell Resolves Vulnerability Affecting Over 100 Million Devices

By Blog, News, Patch ManagementNo Comments

Dell Resolves Vulnerability Affecting Over 100 Million Devices

A Dell driver flaw which could allow a local authenticated attacker to gain elevated privileges on the system has been resolved.

Dell Security Flaw Dates Back to 2009

A Dell driver flaw which could allow a local authenticated attacker to gain elevated privileges on the system has been resolved. The vulnerability was caused by an insufficient access control vulnerability in the dbutil_2_3.sys driver. An attacker could exploit this vulnerability to gain elevated privileges, obtain sensitive information or cause a denial of service due to improper access restrictions within the Dell dbutil driver dbutil_2_3.sys.

Dell has remediated the dbutil driver and has released firmware update utility packages for supported platforms running Windows 10, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent and Dell Platform Tags.

Vulnerability Details

  • CVSS Score: 8.8
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Changed

How Syxsense Can Help

This vulnerability poses a very significant risk as it has a Low Attack Complexity, Low privileges requires and the Scope is Changed.  Scope is what we call a ‘Jump Point’ – which means an active exploit can jump from one technology to another.

Customers of Syxsense Manage and Syxsense Secure can request a custom to detect and remediate your vulnerable devices.

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

New Weaponized Big Sur Vulnerability

By Blog, Patch ManagementNo Comments

New Weaponized Big Sur Vulnerability

Apple has published security updates for macOS Big Sur, iOS, iPadOS and watchOS. Four vulnerabilities are being actively weaponized.

New Critical Big Sur Vulnerability

Apple has published security updates for macOS Big Sur, iOS, iPadOS and watchOS.  In total, four vulnerabilities are addressed in the updates, all of which are reported as being actively weaponized in the wild.

Apple has published security updates which take macOS Big Sur to 11.3.1, iOS (for older devices) to 12.5.3, iOS and iPadOS to 14.5.1, and watchOS to 7.4.1. In total, four vulnerabilities are addressed in the updates, one of which is common to all updates. All four vulnerabilities are WebKit issues and are all reported as being actively exploited in the wild. All four vulnerabilities, if successfully exploited, could potentially allow a remote attacker to execute arbitrary code.

Vulnerability Details

  • CVSS Score: 8.8
  • Attack Vector: Network
  • Attack Complexity:  Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged

CVEs

  • CVE-2021-30661
  • CVE-2021-30663
  • CVE-2021-30665
  • CVE-2021-30666

Recommendations: Apply applicable patches, updates, or workarounds as necessary.

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
|

Apple Patches MacOS Zero-Day Exploit

By Blog, News, Patch ManagementNo Comments

Apple Patches MacOS Zero-Day Exploit

A new MacOS exploit pushes unchecked payloads to devices by bypassing Apple’s security tools when users attempt to use an infected installation package.

Apple Patches MacOS Bug

On Monday, April 26th Apple released MacOS 11.3, a security rollup patch which remediates multiple known attack vectors. Among these vectors is CVE-2021-30657, an exploit which has been used since January to push unchecked payloads to user computers by bypassing Apple’s security tools when a user attempts to use an infected installation package.

Under the Hood

Under normal circumstances, when a MacOS user opens an application installer, the installer is first put through Apple’s anti-malware detection suite. This process contains a multi-functional mesh of security checks and scans.

The first layer of the anti-malware mesh is the File Quarantine tag. Apple first started securing users against tainted downloads in OSX Leopard by implementing file quarantining. This security attribute marks un-identified files as unsafe by applying a quarantine tag to the file’s attributes. When opening files with the quarantine tag, access will either be prompted or denied, depending on the policies applied to the computer.

Iterating on the File Quarantine tags, Apple introduced an additional layer of security in OSX Lion named Gatekeeper. The macOS Gatekeeper checks code-signing information on all new files accessed by the system to ensure that the file conforms to system policies. If the file does not meet the system policy requirement, the access is either revoked or prompted depending on applied policies.

More recently, Apple introduced new functionality in macOS Catalina which requires pre-authorization by Apple before an application is released to the public with a process titled Notarization. With this new tool, software authors provide their software to Apple prior to public release for an automated security scan.

Once the scan completes, Apple provides an attribute tag for the software which verifies its authenticity and safety. If a user attempts to install software without this attribute, the software is flagged by the anti-malware suite and access is either denied or prompted based on computer policy.

Below is the prompt generated by the Notarization, Gatekeeper, and Quarantine processes working in concert to defend against a potentially dangerous executable.

How It Works

CVE-2021-30657 manages to bypass all layers of macOS’s anti-malware suite by re-building it’s payload bundles with specifically mischaracterized property files. When a re-bundled payload is passed through the detection suite, the file contents are not recognized by the File Quarantine and Notarization processes and are default allowed by the anti-malware tools.

Because payloads using the CVE-2021-30657 exploit are default allowed, the Gatekeeper process never gets activated and the user is never given a security prompt. Instead, the payload is quietly executed, and the computer becomes compromised. In its current iteration, the well-known malware suite Shlayer is known to use CVE-2021-30657 to silently push payloads to endpoints while masquerading as an Adobe Flash Player update.

The Take-Away

There are two major takeaways from CVE-2021-30657.

First, never download applications from untrusted or third-party sites. Where possible, always install applications from the Mac App store or directly from well-known publishers like Microsoft or Adobe. When installing software not found on the Mac App store, make sure you are on the publishers’ website, and not a third-party website. These unsecure sites may contain reuploads of authentic software packages which contain software exploits similar to CVE-2021-30657.

Second, make sure that you keep your operating system up to date. MacOS 11.3 introduces patches which safeguard against CVE-2021-30657 and ensures that users are correctly prompted or denied before executing potentially dangerous executables.

How Syxsense Secure Can Help

Syxsense Secure provides automated patch management, vulnerability scanning, and IT management. It can detect if an endpoint is vulnerable to CVE-2021-30657 and deploy the corresponding security update efficiently, before any damage is done.

Syxsense Secure also provides the ability to push software to endpoint devices, limiting the attack surface of your company and providing your end users with safe access to the tools they need. Syxsense Secure also includes advanced features such as patch supersedence, patch roll back, and a wealth of automation and configuration features.

Further, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo