IT security audit specialists from the cybersecurity firm Intego have reported supposed in the wild exploitation of an uncorrected vulnerability in some of Apple MacOS Gatekeeper security features; there is a proof of concept of this exploitation published online.
A few days ago, experts discovered at least
four different samples of this macOS malware on VirusTotal specialized platform.
These malware variants exploit a bypass vulnerability to execute malicious code
on macOS without requiring the user to approve the action through a dialog box.
The latest version of the malware, known as
OSX/Linker, has not been detected in the wild yet, so IT security audit experts
considered that it is still in a developmental stage. Even though all malware
variants exploit the vulnerability in Gatekeeper,
the download of any malicious application has not been detected from the server
of the threat actors.
Gatekeeper is a security feature built into
Apple macOS that verifies digital signatures and downloaded apps before
approving their execution, functioning as an additional layer of security against
malware. If someone gets to download an application from any website,
Gatekeeper will allow or prevent its execution depending on whether it finds a
valid certificate approved by Apple; otherwise it will ask for users’ approval
to run the application.
However, Gatekeeper was designed to treat
external storage drives (such as USB or HDD), in addition to network shares, as
secure locations. According to the experts, from these secure locations a user
can run any application without requiring subsequent permissions or Gatekeeper
alerts.
Late last month, IT security audit specialist
revealed a method to exploit this operating system behavior that involves two
other legitimate features of macOS: zip files and automount function. The
expert created a zip file with a symbolic link to an attacker-controlled
network share that macOS will automount.
When the victim opens the zip and follows the
link, they will be directed to the shared network under the hacker’s control
and execute malicious files without the system requesting the victim’s
authorization. The expert notified the company last February and, as more than
90 days have passed and the flaw has not been corrected, he decided to disclose
the vulnerability.
Experts from the International Institute of
Cyber Security (IICS) recommend blocking NFS communications as a workaround
while Apple
releases an update patch.
