Apple this week revealed that its new macOS 11.3 update comes with a fix for a critical vulnerability – one that hackers actively exploited with Shlayer malware that can sidestep Apple defenses.
The zero-day flaw, first discovered in March but likely in use by hackers since Jan. 9, allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results. Cybercriminals create web pages with content tailored to appear in results for common queries, or hijack legitimate websites. Once the malware is inside a system, it won’t be stopped by any of the Mac’s defensive tools.
Jamf Protect researchers found that the malware lets attackers bypass the macOS’s Gatekeeper, Notarization and File Quarantine security technologies. “The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results,” Jaron Bradley, manager, MacOS detections at Jamf, wrote in a blog post detailing the discovery.
“Apple makes many updates to their complex security features on a regular basis,” Bradley said. “At some point, one of these complex updates created an unintentional bug that allowed attackers to bypass many security features on the operating system.”
Bradley says it’s unclear how many users are affected by the latest variant.
Shlayer has been a thorn in Apple’s side; last year it slipped through the company’s defenses and made its way through the tech giant’s automated notarizing process.
And the malware “continues to be one of the most active and prevalent malware families for macOS,” Bradley explained. “Unknown users may stumble upon it by visiting legitimate websites that have been hijacked, which may ultimately redirect them to a new site hosting the malware.”
Shlayer also is “commonly spread on pirating sites, posing as free cracked software or sites that play pirated videos,” Bradley said, with users often “prompted by the website to install it to watch the expected video.”
The tactics and capabilities Shlayer uses “are very similar to what attackers do when targeting mobile users, in that their end goal is to deliver malware that can circumvent the device’s native security measures,” which “exemplifies how the difference between computer and mobile operation systems is getting slimmer every day,” said Hank Schless, senior manager, security solutions, at Lookout.
Contending that “computer operating systems look more like their mobile counterparts every day,” Schless said, “consumers prefer the simplified interface that mobile devices offer, so in order to keep the customer engaged, developers are applying that to computer OSes.”
But as Apple develops more devices based on the M1 chip, “which allows desktop users to run mobile apps,” he said “individuals and organizations alike need to be aware of the expanded risk that comes along with that capability.”
An upgrade to macOS 11.3 will eliminate the malware’s threat – this time. And Apple, Bradley said, just updated its built-in anti-virus engine to catch Shalyer variants that might crop up.
Attackers are constantly finding new ways to circumvent security measures, and no systems are immune, even with strong security controls are in place, nVisium director of infrastructure Shawn Smith noted, adding, “Vulnerabilities like this one are why it’s so vital to have mitigation and recovery policies in place and regularly tested.”
Erkang Zheng, founder and CEO at JupiterOne, said the revelation that Shlayer is being used to exploit the zero-day underscores “the need for a complete, self-maintained CMDB or asset inventory, with the data in an easily queryable fashion.” He explained that “the ability to ask the question, ‘Do I have any vulnerable Mac devices that haven’t been patched?’ needs to be available within a moment’s notice.”
That Shlayer can circumvent the Mac’s native defensive tools, said Schless, “shows how important it is for security teams to implement a zero-trust mindset.”
Assuming that devices aren’t secure can help prevent a major data breach. “Malware is usually smart enough to lurk in the background until it detects a connection to corporate resources that it can take advantage of,” Schless said.