fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Apple Fixes Three Zero-days, One Abused By XCSSET macOS Malware

Apple Fixes Three Zero-days, One Abused By XCSSET macOS Malware

Apple has released security updates to patch three macOS and tvOS zero-day vulnerabilities attackers exploited in the wild, with the former being abused by the XCSSET malware to bypass macOS privacy protections.

In all three cases, Apple said that it is aware of reports that the security issues “may have been actively exploited,” but it didn’t provide details on the attacks or threat actors who may have exploited the zero-days.

Exploitable for privacy bypass and code execution

Two of the three zero-days (tracked as CVE-2021-30663 and CVE-2021-30665) impact WebKit on Apple TV 4K and Apple TV HD devices.

Webkit is Apple’s browser rendering engine used by its web browsers and applications to render HTML content on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.

Threat actors could exploit the two vulnerabilities using maliciously crafted web content that would trigger arbitrary code execution on unpatched devices due to a memory corruption issue.

The third zero-day (tracked as CVE-2021-30713) impacts macOS Big Sur devices, and it is a permission issue found in the Transparency, Consent, and Control (TCC) framework.

The TCC framework is a macOS subsystem that blocks installed apps from accessing sensitive user info without asking for explicit permissions via a pop-up message.

Attackers could exploit this vulnerability using a maliciously crafted application that may bypass Privacy preferences and access sensitive user data.

Also Read: 3 Reasons Why You Must Take a PDPA Singapore Course

zero-day used by XCSSET macOS malware

While Apple didn’t provide any details on how the three zero-days were abused in attacks, Jamf researchers discovered that the macOS zero-day (CVE-2021-30713) patched today was used by the XCSSET malware to circumvent Apple’s TCC protections designed to safeguard users’ privacy.

“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior,” the researchers said.

“We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild.

“The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.”

The XCSSET malware was first spotted by Trend Micro last year [PDF] in a campaign targeting Mac users via infected Xcode projects, using two other zero-days to hijack the Safari web bro and inject malicious Javascript payloads.

new XCSSET variant was discovered by Trend Micro researchers last month, updated to work on recently released Apple-designed ARM Macs.

Stream of zero-days exploited in the wild

Zero-day vulnerabilities have been showing up in Apple’s security advisories more and more often throughout this year, most of them also tagged as exploited in attacks before getting patched.

Earlier this month, Apple addressed two iOS zero-days in the Webkit engine allowing arbitrary remote code execution (RCE) on vulnerable devices simply by visiting malicious websites.

The company has also been issuing patches for a stream of zero-day bugs exploited in the wild over the past few months: one fixed in macOS in April and numerous other iOS vulnerabilities fixed in the previous months.

The company patched three other iOS zero-days—a remote code execution bug, a kernel memory leak, and a kernel privilege escalation flaw—impacting iPhone, iPad, and iPod devices in November.

Also Read: What You Should Know About the Data Protection Obligation Singapore

The Shlayer malware used the macOS zero-day patched in April to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks as an easy way to download and install second-stage malicious payloads.

Update: Added info on the XCSSET malware using the macOS zero-day, updated title.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us