Active Exploitation of Apple Zero-Day Vulnerabilities

###### Advisory Type Vulnerability Intelligence
###### CVE ID CVE-2021-30657,30663, 30665, 30666
###### Vulnerability Type Remote Code Execution [RCE]
###### Vulnerable Application Apple iPhone WebKit Engine
###### Affected Platform iOS/macOS/watchOS

Executive Summary

Adversaries are actively targeting and exploiting zero-day vulnerabilities in iOS. Based on the security advisories posted by Apple, critical bugs are present in the WebKit Engine, a browser rendering engine that is used in web browsers like Safari (iOS) and other applications that render HTML. The bugs that were publicly disclosed, when exploited, led to remote code execution on affected systems.

A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution by bypassing Apple’s File Quarantine, Gatekeeper, and Notarization security checks. This bug is actively exploited in the wild by Shlayer Malware.

Threat Vector

The bug is triggered when the victim visits a malicious website hosted by the threat actor.

image
Active malware campaigns targeting apple 0-days

image

Shlayer Malware

Apple patched the zero-day, CVE-2021-30657, that was targeting MacOS and exploited in the wild by Shlayer malware to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks in order to download second-stage malicious payloads.

Impact

  • RCE leads to unauthorized access to the target device’s OS and file systems, leading to user data compromise.
  • Attackers gain arbitrary code execution on the victim device leading to compromise of device control and security.
  • Security bypass vulnerabilities can lead to execution of malwares by bypassing the security features installed on the device.

Mitigations

For CVE-2021-30663/ CVE-2021-30665/ CVE-2021-30666

  • The list of affected devices include:
    • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
    • macOS Big Sur
    • Apple Watch Series 3 and later
  • The bugs have been patched in recent updates including iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1

For CVE-2021-30657

  • Apple has fixed the bug in macOS 11.3.
1 Like