Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Gatekeeper. Show all posts

New macOS Malware Threat: What Apple Users Need to Know

 

Recently, the Moonlock Lab cybersecurity team discovered a macOS malware strain that can easily evade detection, posing a significant threat to users' data privacy and security. The infection chain for this malware begins when a Mac user visits a website in search of pirated software. 

On such sites, users might encounter a file titled CleanMyMacCrack.dmg, believing it to be a cracked version of the popular Mac cleaning software, CleanMyMac. When this DMG file is launched on the computer, it executes a Mach-O file, which subsequently downloads an AppleScript designed to steal sensitive information from the infected Mac. Once the malware infects a macOS computer, it can perform a variety of malicious actions. It collects and stores the Mac owner's username and sets up temporary directories to hold stolen data before exfiltration. The malware extracts browsing history, cookies, saved passwords, and other sensitive data from web browsers. It also identifies and accesses directories that commonly contain cryptocurrency wallets. 

Additionally, it copies macOS keychain data, Apple Notes data, and cookies from Safari, gathers general user information, system details, and metadata, and then exfiltrates all this stolen data to threat actors. Moonlock Lab has linked this macOS malware to a well-known Russian-speaking threat actor, Rodrigo4. This hacker has been active on the XSS underground forum, where he has been seen recruiting other hackers to help distribute his malware using SEO manipulation and online ads. This discovery underscores the growing threat of sophisticated malware targeting macOS users, a group often perceived as being less vulnerable to such attacks. 

Despite Apple's strong security measures, this incident highlights that no system is entirely immune to threats, especially when users are lured into downloading malicious software from untrustworthy sources. To protect yourself from such threats, it is essential to take several precautions. First and foremost, avoid downloading pirated software and ensure that you only use trusted and official sources for your applications. Pirated software often hides malware that can compromise your system's security. Installing reputable antivirus software and keeping it updated can help detect and block malware on macOS. Regularly updating your macOS and all installed applications is crucial to patch any security vulnerabilities that may be exploited by attackers. 

Additionally, exercise caution with downloads from unfamiliar websites or sources. Always verify the legitimacy of the website and the software before downloading and installing it. Enabling macOS’s built-in security features, such as Gatekeeper and XProtect, can also provide an additional layer of protection against malicious software. Gatekeeper helps ensure that only trusted software runs on your Mac, while XProtect provides continuous background monitoring for known malware. The Moonlock Lab's findings highlight the need for greater awareness and proactive measures to safeguard personal data and privacy. Users should remain vigilant and informed about the latest security threats and best practices for protecting their devices. 

By staying informed and cautious, Apple users can better protect their devices from malware and other cybersecurity threats. Awareness of the potential risks and implementing the recommended security practices can significantly reduce the likelihood of falling victim to such malicious activities. As cyber threats continue to evolve, maintaining robust security measures and staying updated on the latest threats will be crucial in ensuring the safety and integrity of personal data on macOS devices.

MacOS Gatekeeper Bypass Known as Achilles: Microsoft Warns



It is possible that an Apple gatekeeper bypass vulnerability in macOS could allow cyber-attackers to install malicious programs on target Macs, regardless of the Lockdown mode the user has enabled in macOS. 

In addition to discussing the details of the bug (CVE-2022-42821), which Microsoft has dubbed "Achilles," researchers were also able to construct a working exploit by exploiting the Access Control Lists (ACLs) feature of macOS, which allows applications to be governed by finely tuned permissions. 

Apple Gatekeeper is a popular target for application vetting

Apple Gatekeeper is a security technology that was created by Apple, as a way to ensure that only "trusted apps" are allowed to run on Mac devices - that is, those that are approved by Apple and signed by a legitimate authority. A blocking pop-up is shown to the user when Gatekeeper cannot validate the software, explaining that the app cannot be run due to security concerns. 

As a result of this development, users are less likely to be vulnerable to malicious sideloaded applications from pirate sites or third-party app stores, which may have been accidentally downloaded. 

Microsoft researchers noted, however, that con men have spent quite some time attempting to find ways around the feature that could allow them to bypass it, as indicated by previously exploited vulnerabilities, such as CVE-2022-22616, CVE-2022-32910, CVE-2021-1810, CVE-2021-30657, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826. 

It is not surprising that the user base is being bothered by such kinds of problems. Gatekeeper bypasses such as these are sometimes exploited by malware and other threats to gain initial access to macOS systems. This in turn increases the success rate of malicious campaigns and attacks on the system or the success rate of these programs. In our analysis, the data shows that fake apps will remain one of the most popular entry points for attackers on macOS over the coming years. This indicates that Gatekeeper bypass techniques will be a crucial element for attackers to leverage. 

The discovery of a new gatekeeper bypass

The Microsoft team took advantage of details surrounding CVE-2021-1810 to create a security bypass - and they succeeded in doing so by adding permissioning rules (using the ACL mechanism) to malicious files as part of the process. 

A quarantine mechanism is employed by Apple for downloaded apps, according to the advisory: "When you download an app from a browser, such as Safari, the browser automatically gives it an attribute called a special extended attribute." During enforcing policies such as Gatekeeper, com.apple.quarantine is used in the context of implementing the policy." 

As an additional feature, the macOS file system provides the opportunity for you to apply a special extended attribute known as com. apple. al. text. This extended attribute can be used to set arbitrary access control lists. 

According to Microsoft researchers, each ACL has a certain number of Access Control Entries (ACEs) that govern what each principal can and cannot do, much like firewall rule sets do for addresses. Accordingly, we decided to limit the complexity of these downloaded files by adding very restrictive Access Control Lists. These ACLs prohibit Safari (and any other program) from setting any newly extended attributes, such as the com. apple.quarantine attribute in the downloaded files. 

In addition, without the quarantine attribute, the Gatekeeper is unaware that the file needs to be checked. Therefore, it is easily bypassed by bypassing the security mechanism entirely. 

The researchers at Microsoft discovered that Apple's Lockdown feature, which Microsoft debuted in July to protect at-risk targets from state-sponsored spyware, cannot prevent the Achilles attack from obtaining the necessary exploits. 

"We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed at stopping zero-click remote code execution exploits, and therefore does not defend against Achilles," according to Microsoft. 

In July, Apple received an alert about the issue and was able to fix it in the latest macOS version. For maximum protection against cybercrime, Mac operating systems must be updated as soon as possible.