It is unclear how much money the REvil gang is expecting from Apple now. Known customers of Quanta Computer include some of the biggest laptop vendors in the world, such as HP, Dell, Microsoft, Toshiba, LG, Lenovo, and many others.Ī source familiar with the Quanta negotiations said the REvil gang asked for a $50 million ransom demand, similar to the sum they requested from laptop maker Acer last month. “We recommend that Apple buy back the available data by May 1.” “Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” the REvil operators wrote. In addition, Wardle urged macOS users to enable automatic updates for the operating system and deploy an endpoint detection and respond product that is Mac-centric.Furthermore, the ransomware gang also hinted that the data of other companies might also be leaked online.
Apple's notary service, which is an automated scan for malicious items and code-signing issues, allows developers to obtain a kind of stamp of approval of the software from Apple. To protect against these types of script-based macOS malware, Wardle offered one simple bit of advice: Users should block any downloading of non-notarized code. "Both of these were not found by complex fuzzing the flaws were found inadvertently." "MacOS still has pretty shallow protections," Wardle said. Wardle says that the two vulnerabilities show how the macOS could potentially come under fire from malware attacks not as the result of bugs in the code, but rather loopholes in the way the logic of the macOS has evolved over decades.
Still, given the relative lack of macOS malware threats in comparison to Windows and Linux, users may be more cavalier with running untrusted apps.īoth bugs were reported to Apple last year and have since been patched.
In both cases, the bugs would require users to download and open the applications, so an attack would rely on social engineering to an extent, making the risk less severe.
Apple security expert Patrick Wardle suggested users block any non-notarized items on their systems to prevent macOS malware from taking root. With this flaw, an attacker would be able to tinker with the scripted path on an application to cause Apple's security extensions to leave key variables set as "null." When those variables are set, checks on whether an application is authorized and safe to run do not get performed and, as a result, malware could potentially go unchecked. Similarly, CVE-2021-30853 relied on an issue in the way the macOS checks applications on launch. Wardle noted that CVE-2021-30657 was exploited as a zero-day vulnerability in the wild last year. "Because it was missing an ist file, the system said no problem."Īs a result, macOS malware could potentially run on a system without being caught by Apple's own security tools and checks. "In the Finder and system point of view, it is an application," Wardle explained. When built without the ist file, an application will use secondary tools to launch that will not make the normal security checks. The problem, Wardle said, lay within the way macOS dealt with scripted applications. Wardle found that when certain types of applications do not contain the ist file, they will not be subject to the scanning tools Apple normally uses to screen out dangerous apps. In the case of CVE-2021-30657, an attacker would be able to bypass the security checks Apple normally provides simply by leaving out a single file. To illustrate his point, Wardle pointed to two vulnerabilities, CVE-2021-30657 and CVE-2021-30853, which both relied not on technical software vulnerabilities in the macOS operating system, but rather loopholes in the logic of the operating system that would allow applications to do things they should not. Wardle told attendees that often the vulnerabilities attackers need to compromise Macs come not from tirelessly fuzzing apps and reverse engineering code, but rather from simply working in the tech giant's blind spots.
Patrick Wardle, founder of the Objective-See Foundation and a prominent iOS and macOS security researcher, spoke about macOS threats at RSA Conference 2022 in San Francisco on Monday.