Last Week on My Mac: Is your Mac still secure from malware?
If you’re still running macOS Mojave or earlier, now is the time to take action to ensure your Mac maintains protection against malware.
Investigation report about the abuse of the Mac Appstore | by Privacy1St
This investigation report contains an applications analysis of 7 different Apple developer accounts (identified so far — maybe there are…
I see what you did there: A look at the CloudMensis macOS spyware
ESET uncovers CloudMensis, a macOS backdoor that spies on users of Mac devices and communicates with its operators via public cloud storage services.
Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706 - Microsoft Security Blog
Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple, and fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates on May 16, 2022.
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs
Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (IOPCIDevice::_MemoryAccess not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.
Last Week on My Mac: Introducing XProtect Remediator, successor to MRT – The Eclectic Light Company
MRT’s days appear numbered. On 14 March this year, Apple released its successor – a new version of XProtect, which now does the lot.
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
Apple has pushed a silent Mac update to remove hidden Zoom web server
Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission. The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which […]
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Malicious PyPI package opens backdoors on Windows, Linux, and Macs
Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems.
Exploiting an Unbounded memcpy in Parallels Desktop
This post details the development of a guest-to-host virtualization escape for Parallels Desktop on macOS, as used in our successful Pwn2Own 2021 entry. Give...
CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD | 0-days In-the-Wild
Information about 0-days exploited in-the-wild!
macOS Vulnerabilities Hiding in Plain Sight (Black Hat Asia 2022 presentation)
Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don't notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems. Download Slides Download Whitepaper
Analyzing a Pirrit adware installer
While Windows holds the largest market share on malware, macOS has its fair share of threats that mostly exist in an adware/grayware area. In this post I want to walk through how a Pirrit PKG file installer works. There are lots of more complex threats, but this is a good place to start if you’re just jumping into analysis. If you want to follow along at home, I’m working with this file in MalwareBazaar: https://bazaar.abuse.ch/sample/d39426dbceb54bba51587242f8101184df43cc23af7dc7b364ca2327e28e7825/.
Known macOS Vulnerabilities Led Researcher to Root Out New Flaws
Researcher shares how he unearthed newer bugs in Apple's operating system by closer scrutiny of previous research, including vulnerabilities that came out of the Pwn2Own competition.
From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win
Researchers looking into a new APT group targeting gambling sites with a variety of cross-platform malware recently identified a version of oRAT malware targeting macOS users and written in Go. While neither RATs nor Go malware are uncommon on any platform, including the Mac, the development of such a tool by a previously unknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising occurrence of Macs among their intended targets and victims. In this post, we dig deeper into the technical details of this novel RAT to understand better how it works and how security teams can detect it in their environments.
MacOS Two-machine Kernel Debugging
Diverto is an information security company. We provide consulting and managed services.
OverWatch Insights: Reviewing a New Intrusion Targeting Mac Systems
While Mac enterprise networks are not as common as Windows, and subject to less targeting by adversaries, recent CrowdStrike Falcon Overwatch observations shed light on sophisticated tactics, techniques and procedures (TTPs) targeting Mac environments.
What does APT Activity Look Like on MacOS?
What does APT Activity Look Like on macOS?I often get asked what Advanced Persistent Activity (APT) or nation state hacking looks like on a macOS system. This is a great question and the answer is no
Jamf Threat Labs identifies Safari vulnerability (CVE-2022-22616) allowing for Gatekeeper bypass
The identified vulnerability allows bypassing of Gatekeeper security and app notorization, has been patched by Apple.
Increased Enterprise Use of iOS, Mac Means More Malware
As use of Apple devices has grown in the enterprise, the company has increasingly become a target for malware threats and other attacks. ISMG spoke with experts and
MacOS SUHelper Root Privilege Escalation Vulnerability A Deep Dive Into CVE-2022-22639
We discovered a now-patched vulnerability in macOS SUHelper, designated as CVE-2022-22639. If exploited, the vulnerability could allow malicious actors to gain root privilege escalation.
Apple releases macOS 12.3.1, iOS 15.4.1, watchOS 8.5.1 and more - The Mac Security Blog
Apple has just released fixes for two actively exploited vulnerabilities affecting macOS Monterey, iOS 15, and iPadOS 15.
Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS
In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […]
Objective-See's Blog
Analyzing OSX.DazzleSpy A fully-featured cyber-espionage macOS implant
Analyzing a watering hole campaign using macOS exploits
To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.
Watering hole deploys new macOS malware, DazzleSpy, in Asia
The website of a Hong Kong pro-democracy radio station was compromised to serve a Safari exploit that installed cyberespionage malware on visitors’ Macs.
SysJoker : un malware pour macOS, Windows et Linux qui opère discrètement depuis des mois
Un inquiétant cheval de Troie très discret et multiplateformes vient d'être repéré. Baptisé SysJoker et mis en lumière par la firme de sécurité Intezer, il peut cibler autant Windows, Linux que macOS. Pire encore, celui-ci passait sous les radars des antivirus depuis un bout de temps. Les versions Linux et macOS n'étaient jusqu'à présent pas du tout détectées par des sites
New SysJoker Backdoor Targets Windows, Linux, and macOS
In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux that we have named SysJoker.
SysJoker analyzing the first (macOS) malware of 2022!
Earlier today (January 11th), Researchers at Intezer published an report titled, “New SysJoker Backdoor Targets Windows, Linux, and macOS.” In this report, they detailed a new cross-platform backdoor they named SysJoker. Though initially discovered on Linux, the Intezer researchers shortly thereafter also found both Windows and Mac versions: "SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions." -Intezer