Active Exploitation of Apple Zero-Day Vulnerabilities

A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution and is being exploited by Shlayer malware.

Updated on

April 19, 2023

Published on

July 14, 2021

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Advisory Type	Vulnerability Intelligence
CVE ID	CVE-2021-30657,30663, 30665, 30666
Vulnerability Type	Remote Code Execution [RCE]
Vulnerable Application	Apple iPhone WebKit Engine
Affected Platform	iOS/macOS/watchOS

Executive Summary

Adversaries are actively targeting and exploiting zero-day vulnerabilities in iOS. Based on the security advisories posted by Apple, there are critical bugs present in the WebKit Engine, a browser rendering engine that is used in web browsers like Safari (iOS) and other applications that render HTML. The bugs that were publicly disclosed, when exploited, led to remote code execution on affected systems. A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution by bypassing Apple’s File Quarantine, Gatekeeper, and Notarization security checks. This bug is actively exploited in the wild by Shlayer Malware.

Threat Vector

The bug is triggered when the victim visits a malicious website hosted by the threat actor.

CVE	Type	Description
CVE-2021-30663	Integer Overflow/RCE	An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30665	Memory Corruption/RCE	A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30666	Buffer Overflow/RCE	A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution

Active malware campaigns targeting apple 0-days

CVE	Type	Description
CVE-2021-30657	Security Bypass	Bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks [mac OS]

Shlayer Malware

Apple patched the zero-day, CVE-2021-30657, that was targeting MacOS and exploited in the wild by Shlayer malware to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks in order to download second-stage malicious payloads.

Impact and Mitigation

Impact

Mitigation

RCE leads to unauthorized access to the target device’s OS and file systems, leading to user data compromise.
Attackers gain arbitrary code execution on the victim device leading to compromise of device control and security.
Security bypass vulnerabilities can lead to execution of malwares by bypassing the security features installed on the device.

For CVE-2021-30663/ CVE-2021-30665/ CVE-2021-30666:

The list of affected devices include:
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- macOS Big Sur
- Apple Watch Series 3 and later
The bugs have been patched in recent updates including iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1

For CVE-2021-30657:

Apple has fixed the bug in macOS 11.3.

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more