Threat Watch

Attackers Actively Exploiting CVE-2021-30657 on macOS

On April 26th, Apple published an update to macOS patching a security vulnerability disclosed to them by Security Researcher Cedric Owens. The vulnerability bypasses Gatekeeper checks by utilizing stolen Apple Developer IDs, which were used to sign the malware. By signing the malware with these legitimate Apple certificates, the attackers can bypass all quarantine and security mechanisms that would normally prevent installation and execution. Attackers have already taken advantage of this vulnerability across multiple samples studied by Jamf and Patrick Wardle, with the final payload being Shlayer, a common loader for macOS.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

If organizations are utilizing macOS devices internally, it is important to remind users to update their devices as major security patches like this arise. If organizations have security products like Jamf, remote administration of patching might also be available. A simple python script (scan.py) by Patrick Wardle of Objective-See is provided below to assist in hunting for malware on affected devices.

References:
https://objective-see.com/blog/blog_0x64.html
https://objective-see.com/downloads/blog/blog_0x64/scan.py
https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/
https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508
https://therecord.media/apple-patches-gatekeeper-bypass-bug-abused-by-malware-gang/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support