New Mac malware exploit for GateKeeper can bypass your macOS in seconds, and it’s still unpatched!

New Mac malware exploit for GateKeeper can bypass your macOS in seconds, and it’s still unpatched!

A big warning comes from cybersecurity researchers, today; it has been found active exploitation of an unpatched security vulnerability in Apple’s macOS Gatekeeper security feature.

This new threat it has been already found in multiple samples of new macOS malware that can execute untrusted code on macOS without displaying any warning or asking for any kind of permission.

For those who still don’t know, GateKeeper is a security feature built into Apple macOS that demand code to be signed and also verifies downloaded applications before allowing them to run. Meaning that, if an untrusted application is downloaded from the Internet, GateKeeper will flag this action and inform the user immediately.

But Gatekeeper has a big design flaw, it has been made to see both external drives and network shares as “safe locations”. Meaning that users can run any application without, any of the GateKeeper’s security measures.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

Starting from this security flaw hackers found a way to exploit this bad behavior, with the help of two other legitimate features of macOS operating system: zip archives that can contain symbolic links, and automount endpoints; so hackers used this features to automatically mount a network share from a remote server.

Once a victim opens a maliciously crafted ZIP archive and follows the link, will end on the hacker-controlled network that is trusted by Gatekeeper by default, meaning that any malicious executable files can be run without any warning from this point beyond.
The bad news doesn’t end here, it seems that this newly discovered technique is not ZIP only dependent, but in fact, disk image files: .dmg can be used too.

Cybersecurity experts advise that until Apple patches this issue, all macOS users to block NFS communications with external IP addresses, not to open email attachments from an unknown and suspicious sender.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.