A rise in the adoption of macOS devices across corporate environments is drawing increased attention from threat actors, according to new research.
The new report from Interpres Security detailed the ‘return’ of threat actors manipulating the transparency, consent, and control (TCC) database manipulation by nation-state threat actors, specifically those with links to North Korean security services.
Once prized for their security properties, Apple devices and Macs in particular have been targeted by hackers exploiting a number of vulnerabilities in recent years. This includes instances such as the Achilles Gatekeeper flaw.
The report noted that growing numbers of businesses are adopting Mac systems and that this increased corporate market share is inviting an increased volume of attacks.
According to statistics cited in the report from Statcounter, corporations are increasingly opting for MacBooks. Apple has progressed from a 3% market share to nearly 17% over the last 14 years, averaging 1% growth per year.
In addition, Interpres noted threat actors are targeting a more technical audience, such as developers and engineers, who typically use macOS devices and if compromised are more likely to have privileged access to sensitive information or critical systems.
In a survey of over 87,000 developers in 2023, Stack Overflow found one in three developers use macOS in their professional life. As a result, hackers are adapting their attacks to be cross-compatible with macOS, according to Interpres, predicting this trend will continue.
Targeting the TCC framework with CloudMensis
Interpres’ investigation outlined how new techniques allow attackers to manipulate the TCC framework to make macOS systems vulnerable to attack.
The TCC framework manages app permissions in macOS, ensuring unauthorized entities cannot access sensitive information and system settings.
The framework has been targeted by threat actors in the past, with attacks centered around accessing and modifying the TCC.db file to give themselves permissions without prompting the user, or even supplying their own TCC.db file entirely.
Apple introduced the System Integrity Protection (SIP) to defend against these attacks with the launch of macOS Yosemite, but the feature did not entirely curtail security incidents.
Microsoft published details of a vulnerability that allowed attackers to remotely bypass SIP, known as Migraine, in May 2023 warning “cross-platform threats continue to grow”.
Across the investigation, Interpres focused on the techniques of notorious North Korean threat actor, the Lazarus Group, responsible for notable attacks involving Sony, WannaCry, and JumpCloud.
Interpres found the group’s recent methods involved deploying macOS malware strain CloudMensis, which leverages the csrutil command to query the status of SIP protection.
CloudMensis employs two techniques to get around TCC which allow the attacker to gain control of the victim’s screen and scan removable storage for ‘documents of interest’, while also logging keyboard events.
If SIP is disabled, CloudMensis adds entries to the TCC.db file to grant itself further permissions.
If the target is running any version of macOS Catalina 10.15.6 or earlier, then even if SIP is enabled the malware will exploit a vulnerability to make the TCC daemon load a database that CloudMensis can write to.
According to the report, enterprises running up-to-date MacBooks with SIP enabled are protected against CloudMensis, but it does note a number of other TCC-targeting malware strains that can be deployed against macOS environments.
These families included Bundlore, Callisto, the BlueBlood keylogger, and unspecified, novel macOS trojans that are yet to be labeled by VirusTotal.
