The Hacker News - Cybersecurity News and Analysis: MacOS

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its  mobile  and  desktop operating systems  that it said may have been exploited in the wild. The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously. Tracked as  CVE-2022-22675 , the issue has been described as an  out-of-bounds write  vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges. Apple said the defect was resolved with improved bounds checking, adding it's aware that "this issue may have been actively exploited." The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for  CVE-2022-22674 , an  out-of-bounds read  issue in the Intel Graphics Driver module that could enable a malicious actor to read kern

Researchers have disclosed details of a newly discovered macOS variant of a malware implant developed by a Chinese espionage threat actor known to strike attack organizations across Asia. Attributing the attacks to a group tracked as  Storm Cloud , cybersecurity firm Volexity characterized the new malware, dubbed Gimmick, as a "feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels." The cybersecurity firm said it recovered the sample through memory analysis of a compromised MacBook Pro running macOS 11.6 (Big Sur) as part of an intrusion campaign that took place in late 2021. "Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets," Volexity researchers Damien Cash, Steven Adair, and Thomas Lancaster  said  in a report. "They make use of built-in operating system utilities, open-source to

Apple on Thursday released security updates for  iOS, iPadOS ,  macOS , and  Safari  to address a new WebKit flaw that it said may have been actively exploited in the wild, making it the company's third zero-day patch since the start of the year. Tracked as CVE-2022-22620, the issue concerns a use-after-free vulnerability in the WebKit component that powers the Safari web browser and could be exploited by a piece of specially crafted web content to gain arbitrary code execution.  "Apple is aware of a report that this issue may have been actively exploited," the company said in a terse statement acknowledging in-the-wild attacks leveraging the flaw. The iPhone maker credited an anonymous researcher for discovering and reporting the flaw, adding it remediated the issue with improved memory management. The updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th

A financially motivated campaign that targets Android devices and spreads mobile malware via SMS phishing techniques since at least 2018 has spread its tentacles to strike victims located in France and  Germany  for the first time. Dubbed  Roaming Mantis , the latest spate of activities observed in 2021 involve sending fake shipping-related texts containing a URL to a landing page from where Android users are infected with a banking trojan known as Wroba whereas iPhone users are redirected to a phishing page that masquerades as the official Apple website. The top affected countries, based on telemetry data gathered by Kaspersky between July 2021 and January 2022, are France, Japan, India, China, Germany, and Korea. Also tracked under the names  MoqHao  and XLoader (not to be confused with the info-stealer malware of the same name  targeting Windows and macOS ), the group's activity has continued to expand geographically even as the operators broadened their attack methods to m

A previously undocumented cyber-espionage malware aimed at Apple's macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET  attributed  the intrusion to an actor with "strong technical capabilities," calling out the campaign's overlaps to that of a similar digital offensive  disclosed  by Google Threat Analysis Group (TAG) in November 2021. The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames (aka  iframes ) between September 30 and November 4, 2021. Separately, a fraudulent website called "fightforhk[.]com" was also registered for the purpose of luring liberation activists. In the next phase, the tampered code acted as a conduit to load a  Mach-O  file by leveraging a remote code execution bug in

A new  cross-platform backdoor  called " SysJoker " has been observed targeting machines running Windows, Linux, and macOS operating systems as part of an ongoing espionage campaign that's believed to have been initiated during the second half of 2021. "SysJoker masquerades as a system update and generates its [command-and-control server] by decoding a string retrieved from a text file hosted on Google Drive," Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein  noted  in a technical write-up publicizing their findings. "Based on victimology and malware's behavior, we assess that SysJoker is after specific targets." The Israeli cybersecurity company, attributing the work to an advanced threat actor, said it first discovered evidence of the implant in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution. A C++-based malware, SysJoker is delivered via a dr

Microsoft on Monday disclosed details of a recently patched security vulnerability in Apple's macOS operating system that could be weaponized by a threat actor to expose users' personal information. Tracked as CVE-2021-30970, the flaw concerns a logic issue in the Transparency, Consent and Control (TCC) security framework, which enables users to configure the privacy settings of their apps and provide access to protected files and app data. The  Security & Privacy pane  in the macOS System Preferences app serves as the front end of TCC. Microsoft 365 Defender Research Team, which reported the vulnerability to Apple on July 15, 2021, dubbed the flaw " powerdir ." Apple  addressed  the issue as part of macOS 11.6 and 12.1 updates released in December 2021 with improved state management. While Apple does enforce a policy that limits access to TCC to only apps with full disk access, it's possible to orchestrate an attack wherein a malicious application could

Apple recently fixed a security vulnerability in the macOS operating system that could be potentially exploited by a threat actor to "trivially and reliably" bypass a "myriad of foundational macOS security mechanisms" and run arbitrary code. Security researcher Patrick Wardle  detailed  the discovery in a series of tweets on Thursday. Tracked as CVE-2021-30853 (CVSS score: 5.5), the issue relates to a scenario where a rogue macOS app may circumvent  Gatekeeper  checks, which ensure that only trusted apps can be run and that they have passed an automated process called " app notarization ." The iPhone maker, crediting Gordon Long of Box with reporting the flaw, said it  addressed the weakness  with improved checks as part of macOS 11.6 updates officially released on September 20, 2021. "Such bugs are often particularly impactful to everyday macOS users as they provide a means for adware and malware authors to sidestep macOS security mechanisms, …m

Google researchers on Thursday disclosed that it found a watering hole attack in late August exploiting a now-patched zero-day in macOS operating system and targeting Hong Kong websites related to a media outlet and a prominent pro-democracy labor and political group to deliver a never-before-seen backdoor on compromised machines. "Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," Google Threat Analysis Group (TAG) researcher Erye Hernandez  said  in a report. Tracked as CVE-2021-30869 (CVSS score: 7.8), the security shortcoming concerns a type confusion vulnerability affecting the XNU kernel component that could cause a malicious application to execute arbitrary code with the highest privileges. Apple originally addressed the issue for macOS Big Sur devices as part of a security update shipped on February 1, only to follow

Microsoft on Thursday disclosed details of a new vulnerability that could allow an attacker to bypass security restrictions in macOS and take complete control of the device to perform arbitrary operations on the device without getting flagged by traditional security solutions. Dubbed " Shrootless " and tracked as  CVE-2021-30892 , the "vulnerability lies in how Apple-signed packages with post-install scripts are installed," Microsoft 365 Defender Research Team's Jonathan Bar Or  said  in a technical write-up. "A malicious actor could create a specially crafted file that would hijack the installation process." System Integrity Protection ( SIP ) aka "rootless" is a  security feature  introduced in OS X El Capitan that's designed to protect the macOS operating system by restricting a  root user  from executing unauthorized code or performing operations that may compromise system integrity. Specifically, SIP allows modification of prote

Apple on Thursday released security updates to fix multiple security vulnerabilities in older versions of  iOS  and  macOS  that it says have been detected in exploits in the wild, in addition to expanding patches for a previously plugged security weakness abused by NSO Group's Pegasus surveillance tool to target iPhone users. Chief among them is CVE-2021-30869, a type confusion flaw that resides in the kernel component  XNU  developed by Apple that could cause a malicious application to execute arbitrary code with the highest privileges. The Cupertino-based tech giant said it addressed the bug with improved state handling. Google's Threat Analysis Group, which is credited with reporting the flaw, said it detected the vulnerability being "used in conjunction with a N-day remote code execution targeting WebKit." Two other flaws include  CVE-2021-30858 and CVE-2021-30860 , both of which were resolved by the company earlier this month following disclosure from the

Cybersecurity researchers on Tuesday disclosed details of an unpatched zero-day vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines. "A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," SSD Secure Disclosure  said  in a write-up published today. Park Minchan, an independent security researcher, has been credited with reporting the vulnerability which affects macOS versions of Big Sur and prior. The weakness arises due to the manner macOS processes INETLOC files — shortcuts to open internet locations such as RSS feeds, Telnet connections, or other online resources and local files — resulting in a scenario that allows commands embedded in those files to be executed wit

A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple's on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection. "AdLoad," as the malware is known, is one of several widespread adware and bundleware loaders targeting macOS since at least 2017. It's capable of backdooring an affected system to download and install adware or potentially unwanted programs (PUPs), as well as amass and transmit information about victim machines. The new iteration "continues to impact Mac users who rely solely on Apple's built-in security control XProtect for malware detection," SentinelOne threat researcher Phil Stokes  said  in an analysis published last week. "As of today, however, XProtect arguably has around 11 different signatures for AdLoa

Apple on Monday rolled out an urgent security update for  iOS, iPadOS , and  macOS  to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year. The updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue ( CVE-2021-30807 ) in the IOMobileFrameBuffer component, a kernel extension for managing the screen  framebuffer , that could be abused to execute arbitrary code with kernel privileges. The company said it addressed the issue with improved memory handling, noting it's "aware of a report that this issue may have been actively exploited." As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the

A popular malware known for stealing sensitive information from Windows machines has evolved into a new strain capable of also targeting Apple's macOS operating system. The upgraded malware, dubbed "XLoader," is a successor to another well-known Windows-based info stealer called Formbook that's known to vacuum credentials from various web browsers, capture screenshots, record keystrokes, and download and execute files from attacker-controlled domains. "For as low as $49 on the Darknet, hackers can buy licenses for the new malware, enabling capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files," cybersecurity firm Check Point said in a report shared with The Hacker News. Distributed via spoofed emails containing malicious Microsoft Office documents, XLoader is estimated to infected victims spanning across 69 countries between December 1, 2020, and June 1, 2021, with 53% of the infections reported in

Apple on Monday announced a number of  privacy and security-centric features  to its upcoming versions of  iOS  and  macOS  at its all-online Worldwide Developers Conference. Here is a quick look at some of the big-ticket changes that are expected to debut later this fall: 1  — Decouple Security Patches from Feature Updates:  As  rumored before , users now have a choice between two software update versions in the Settings app. Users can either opt to update to the latest version of iOS 15 for all the latest features and most complete set of security updates or continue on iOS 14 and still get important security updates until they are ready to migrate to the next major version. 2  —  Built-in Two-factor Authenticator:  The new versions of iOS and macOS also come with options that allow users to generate two-factor authentication codes for each of the online accounts saved to iCloud Keychain (Settings > Passwords) without the need for downloading additional apps like Google Authen

A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its  GitHub repository  were handled, resulting in a scenario where a malicious  pull request  — i.e., the proposed changes — could be automatically reviewed and approved. The flaw was fixed on April 19. Homebrew is a free and open-source software package manager solution that allows the installation of software on Apple's macOS operating system as well as Linux. Homebrew  Cask  extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins, and other non-open source software. "The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in  August 2020  after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. The malware repackages payload modules to imitate legitimate Mac apps, which are ultimately responsible for infecting local Xcode projects and injecting the main payload to execute when the compromised project builds. XCSSET modules come with the capabilities to steal credentials, capture screenshots, inject malicious JavaScript into websites, plunder user data from different apps, and even encrypt files for a ransom.  Then in March 2021, Kaspersky researchers  uncovered  XCSSET samples compiled for the new Apple M1 chips, suggesting that the malware campaign was not only ongoing but also that adversaries are  activ

Apple has released out-of-band patches for iOS, macOS, watchOS, and Safari web browser to address a security flaw that could allow attackers to run arbitrary code on devices via malicious web content. Tracked as CVE-2021-1844 , the vulnerability was discovered and reported to the company by Clément Lecigne of Google's Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. According to the update notes posted by Apple, the flaw stems from a memory corruption issue that could lead to arbitrary code execution when processing specially crafted web content. The company said the problem was addressed with "improved validation." The update is available for devices running  iOS 14.4, iPadOS 14.4 ,  macOS Big Sur , and  watchOS 7.3.1  (Apple Watch Series 3 and later), and as an  update to Safari  for MacBooks running macOS Catalina and macOS Mojave. The latest development comes on the heels of a patch for  three zero-day vulnerabilities  (CVE-

Cybersecurity researchers on Thursday disclosed two distinct design and implementation flaws in Apple's crowdsourced Bluetooth location tracking system that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, thereby deanonymizing users. The  findings  are a consequence of an exhaustive review undertaken by the Open Wireless Link (OWL) project, a team of researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany, who have historically taken apart Apple's wireless ecosystem with the goal of identifying security and privacy issues. In response to the disclosures on July 2, 2020, Apple is said to have partially addressed the issues, stated the researchers, who used their own data for the study citing privacy implications of the analysis. How Find My Works? Apple devices come with a feature called  Find My  that makes it easy for users to locate other Apple devices, including