El malware XCSSET utiliza ataques de día 0 en macOS
Apple has released security updates for a number of its products and fixed three 0-day vulnerabilities in macOS and tvOS, que el malware XCSSET ya está usando. El malware ha adoptado uno de los problemas para eludir los mecanismos de protección de macOS.
En los tres casos, Apple warns that the problems “could be actively exploited” by cybercriminals, sin embargo, no details about these attacks or criminals in the company have yet been disclosed.
Two of the three vulnerabilities (CVE-2021-30663 y CVE-2021-30665) can be considered less dangerous, as they only posed a threat to WebKit on Apple TV 4K and Apple TV HD devices. These problems could be exploited through specially crafted malicious web content that corrupted information in memory, which entailed the execution of arbitrary code on vulnerable devices.
The third and most serious zero-day bug (CVE-2021-30713) is dangerous for devices running macOS Big Sur, and is a permissions issue in the Transparency, Consent, and Control (TCC) framework.
The vulnerability was discovered by the engineers of the information security company Jamf when they studied the XCSSET malware. Let me remind you that this malware was first noticed last year, when it turned out that many Xcode projects hosted on GitHub were infected with it.
“On initial discovery, it was reported that one of the most notable features of XCSSET is the use of two zero-day exploits. [El primero] was used to steal cookies from the Safari browser, and the second was used to bypass requests when installing Safari for developers”, — the researchers said.
sin embargo, a more detailed study of XCSSET revealed that the malware had a third exploit for another zero-day vulnerability in its arsenal. Packaged as AppleScript, the exploit allowed malware to bypass TCC (a macOS service that shows pop-ups and asks for permissions whenever an application tries to perform an intrusive action, including using the camera, microphone, screen recording, or keystrokes).
XCSSET abused CVE-2021-30713 to find the identifiers of other applications on macOS that had received potentially harmful permissions, and then injected a malicious applet inside one of those applications to then perform malicious actions.
“The discussed exploit allowed attackers to gain full disk access, screen recording, and other permissions without explicit user consent”, — warns Jamf.
Although XCSSET and its distribution campaigns are usually highly targeted and mainly targeting developers, there is a danger that now other criminals will also use CVE-2021-30713 for their attacks. Por lo tanto, macOS users are strongly advised to update their OS to the latest version (macOS Big Sur 11.4).
Déjame recordarte que también escribí eso MountLocker ransomware utiliza la API de Windows para navegar por la red.
