XCSSET malware uses 0-day attacks in macOS
Apple has released security updates for a number of its products and fixed three 0-day vulnerabilities in macOS and tvOS, which the XCSSET malware is already using. Malware has adopted one of the problems in order to bypass the protective mechanisms of macOS.
In all three cases, Apple warns that the problems “could be actively exploited” by cybercriminals, however, no details about these attacks or criminals in the company have yet been disclosed.
Two of the three vulnerabilities (CVE-2021-30663 and CVE-2021-30665) can be considered less dangerous, as they only posed a threat to WebKit on Apple TV 4K and Apple TV HD devices. These problems could be exploited through specially crafted malicious web content that corrupted information in memory, which entailed the execution of arbitrary code on vulnerable devices.
The third and most serious zero-day bug (CVE-2021-30713) is dangerous for devices running macOS Big Sur, and is a permissions issue in the Transparency, Consent, and Control (TCC) framework.
The vulnerability was discovered by the engineers of the information security company Jamf when they studied the XCSSET malware. Let me remind you that this malware was first noticed last year, when it turned out that many Xcode projects hosted on GitHub were infected with it.
“On initial discovery, it was reported that one of the most notable features of XCSSET is the use of two zero-day exploits. [The first] was used to steal cookies from the Safari browser, and the second was used to bypass requests when installing Safari for developers”, — the researchers said.
However, a more detailed study of XCSSET revealed that the malware had a third exploit for another zero-day vulnerability in its arsenal. Packaged as AppleScript, the exploit allowed malware to bypass TCC (a macOS service that shows pop-ups and asks for permissions whenever an application tries to perform an intrusive action, including using the camera, microphone, screen recording, or keystrokes).
XCSSET abused CVE-2021-30713 to find the identifiers of other applications on macOS that had received potentially harmful permissions, and then injected a malicious applet inside one of those applications to then perform malicious actions.
“The discussed exploit allowed attackers to gain full disk access, screen recording, and other permissions without explicit user consent”, — warns Jamf.
Although XCSSET and its distribution campaigns are usually highly targeted and mainly targeting developers, there is a danger that now other criminals will also use CVE-2021-30713 for their attacks. Therefore, macOS users are strongly advised to update their OS to the latest version (macOS Big Sur 11.4).
Let me remind you that I also wrote that MountLocker ransomware uses Windows API to navigate the network.