Apple macOS Gatekeeper Bypass Vulnerability Exploited in the Wild

Issued: Thursday, 27 May, 2021	Last Revision: Thursday, 27 May, 2021
Vendor: Apple	Product: macOS
	Severity Level: High

Summary:

A new vulnerability has been discovered in Apple macOS Gatekeeper and is being exploited in the wild to target macOS users. The vulnerability has been tracked as CVE-2021-30657, and could allow attackers to bypass security checks performed by macOS to execute code on remote victims by crafting a malicious image and app file for macOS.

It is important to note that this flaw is being used by malicious actors in the wild to deploy malware on victims, so it is important to apply updates as soon as possible to prevent vulnerability exploitation and potential security incidents.

Recommendation:

Apple has released security updates addressing this issue and others, which can be found at the link below:

https://support.apple.com/en-us/HT212325

It is important to apply these updates as soon as possible to prevent vulnerability exploitation.

References:

About the security content of macOS Big Sur 11.3

macOS Gatekeeper Bypass (2021 Edition)

All Your Macs Are Belong To Us bypassing macOS's file quarantine, gatekeeper, and notarization requirements

Shlayer malware abusing Gatekeeper bypass on macOS

IOC:

Please find below some indicators of compromise linked to the Shlayer malware, which has been found exploiting CVE-2021-30657 to gain code execution on victims (source: JAMF):

File Hashes

AdobeFlashPlayer.dmg → 55869270ed20956e5c3e5533fb4472e4eb533dc2
1302.app/Contents/MacOS/1302 → 085a136c03f8b024a173068768c67b1a5ad928c1
Bundlore Dropped Executable → 20ac95c44549710a434902267394525333e96c0b

Domains:

supportversion[.]yourlinkforplaceforupgrading[.]info

Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Apple macOS Gatekeeper Bypass Vulnerability Exploited in the Wild