Security researchers report that the zero-day attack bypassing macOS's anti-malware function is 'under test'
by Daniel Korpai
Researchers have found that some people are testing zero-day attacks with malware called 'OSX / Linker' using a vulnerability in the security feature ' Gatekeeper ' of macOS. Apple has been notified of the vulnerability, but has not been fixed at the time of writing, so it is being warned by network administrators and general users.
OSX / Linker: New Mac malware attempts zero-day Gatekeeper bypass | The Mac Security Blog
New Mac Malware Sails Right Through Apple's Defenses
New Mac Malware Exploits GateKeeper Bypass Bug that Apple Left Unpatched
macOS uses technology called Gatekeeper as anti-malware function. Gatekeeper performs various checks such as verifying the certificate before allowing the application for macOS to execute. Gatekeeper applies to apps that you download directly from the Internet, as well as directly installed apps.
However, security researcher Filippo Cavallarin discovered the fact that 'Mac OS X is vulnerable to bypass GateKeeper' on May 24, 2019. According to Cavallarin, macOS treats apps downloaded from the Internet differently from apps shared by the network, and recognizes the network share directory as a 'safe place that does not require checking.' Therefore, if an attacker mounts a location containing malware as a network share, it can be sent to the target macOS.
One way to do this is to create a symbolic link to the app you want to control on the NFS server, include it in the ZIP file, and have the target download the ZIP file. Since macOS does not check the access destination of the symbolic link at the time of decompression processing of the ZIP file, it seems to be able to create a state that can be installed without checking GateKeeper.
You can see how to bypass the Gatekeeper in the following movie.
MacOS X GateKeeper Bypass-YouTube
Cavallarin reported the vulnerability to Apple on February 22, 2019, but made the vulnerability public as Apple did not fix it in due time.
And in the middle of June, security researchers in Intego have confirmed for the first time the existence of an attack that exploits the vulnerability revealed by Cavallarin. The attacks that Intego researchers have found use disk image files rather than ZIP files, and are considered to have been tested as tests rather than actual attacks. The researchers say that 'it seemed to be experimenting to see if Cavallarin's method works with disk file images as well.'
by Jay Wennington
Although the four files uploaded to VirusTotal on June 6 were linked to one piece of software existing on the NFS server and used the vulnerability of Gatekeeper, they actually downloaded malicious software He said he wasn't supposed to Meanwhile, 'One of the files is signed by the Apple Developer ID, which means that the OSX / Linker disk image was created by an adware developer called' OSX / Surfbuyer, 'the researchers said. It says.
Researchers have stated that 'network administrators should block NFS communication with global IP addresses until Apple fixes this problem,' and for home users 'the sender is unknown or unreliable.' I asked you not to open email attachments.