XCSSET malware uses 0-day attacks in macOS

Apple has released security updates for a number of its products and fixed three 0-day vulnerabilities in macOS and tvOS, which the XCSSET malware is already using. Malware has adopted one of the problems in order to bypass the protective mechanisms of macOS.

In all three cases, Apple warns that the problemscould be actively exploitedby cybercriminals, 然而, no details about these attacks or criminals in the company have yet been disclosed.

Two of the three vulnerabilities (CVE-2021-30663CVE-2021-30665) can be considered less dangerous, as they only posed a threat to WebKit on Apple TV 4K and Apple TV HD devices. These problems could be exploited through specially crafted malicious web content that corrupted information in memory, which entailed the execution of arbitrary code on vulnerable devices.

The third and most serious zero-day bug (CVE-2021-30713) is dangerous for devices running macOS Big Sur, and is a permissions issue in the Transparency, Consent, and Control (TCC) framework.

The vulnerability was discovered by the engineers of the information security company Jamf when they studied the XCSSET malware. Let me remind you that this malware was first noticed last year, when it turned out that many Xcode projects hosted on GitHub were infected with it.

“On initial discovery, it was reported that one of the most notable features of XCSSET is the use of two zero-day exploits. [The first] was used to steal cookies from the Safari browser, and the second was used to bypass requests when installing Safari for developers”, — the researchers said.

然而, a more detailed study of XCSSET revealed that the malware had a third exploit for another zero-day vulnerability in its arsenal. Packaged as AppleScript, the exploit allowed malware to bypass TCC (a macOS service that shows pop-ups and asks for permissions whenever an application tries to perform an intrusive action, including using the camera, microphone, screen recording, or keystrokes).

XCSSET abused CVE-2021-30713 to find the identifiers of other applications on macOS that had received potentially harmful permissions, and then injected a malicious applet inside one of those applications to then perform malicious actions.

The discussed exploit allowed attackers to gain full disk access, screen recording, and other permissions without explicit user consent”, — warns Jamf.

Although XCSSET and its distribution campaigns are usually highly targeted and mainly targeting developers, there is a danger that now other criminals will also use CVE-2021-30713 for their attacks. Therefore, macOS users are strongly advised to update their OS to the latest version (macOS Big Sur 11.4).

Let me remind you that I also wrote that MountLocker ransomware uses Windows API to navigate the network.

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕