The increased adoption of macOS devices in corporate environments is attracting increasing attention from threat actors, according to new research.
New report from Interpres Security details the “return” of threat actors manipulating the Transparency, Consent and Control (TCC) database by nation-state threat actors, specifically those with ties to security services. security of North Korea.
Apple and Mac devices in particular, once prized for their security properties, have been targeted by hackers exploiting a number of vulnerabilities in recent years. This includes cases such as Achilles guardian defect.
The report noted that an increasing number of companies are adopting Mac systems and that this greater share of the corporate market is leading to a higher volume of attacks.
According to statistics cited in the report statistics counter, corporations are increasingly opting for MacBooks. Apple has gone from a 3% market share to almost 17% over the last 14 years, with average growth of 1% annually.
Additionally, Interpres noted that threat actors target a more technical audience, such as developers and engineers, who typically use macOS devices and, if compromised, are more likely to have privileged access to sensitive information or critical systems.
in a survey Of more than 87,000 developers in 2023, Stack Overflow found that one in three developers uses macOS in their professional life. As a result, hackers are adapting their attacks to be compatible with macOS, according to Interpres, predicting that this trend will continue.
Targeting the TCC framework with CloudMensis
Interpres research described how new techniques allow attackers to manipulate the TCC framework to make macOS systems vulnerable to attacks.
The TCC framework manages app permissions on macOS, ensuring that unauthorized entities cannot access sensitive information or system settings.
The framework has been targeted by threat actors in the past, with attacks focusing on accessing and modifying the TCC.db file to grant themselves permissions without prompting the user, or even providing their own TCC.db file entirely.
Apple introduced System Integrity Protection (SIP) to defend against these attacks with the release of macOS Yosemite, but the feature did not completely reduce security incidents.
microsoft published details of a vulnerability that allowed attackers to bypass SIP remotely, known as Migraine, in May 2023 warning that “cross-platform threats continue to grow.”
Throughout the investigation, Interpres focused on the techniques of the notorious North Korean threat actor, the Lazarus Group, responsible for notable attacks involving Sony, WannaCry, and JumpCloud.
Interpres discovered that the group's recent methods involved deploying the CloudMensis malware strain for macOS, which leverages the csrutil command to query the status of SIP protection.
CloudMensis employs two TCC bypass techniques that allow the attacker to gain control of the victim's screen and scan removable storage for “documents of interest,” while also logging keyboard events.
If SIP is disabled, CloudMensis adds entries to the TCC.db file to grant itself more permissions.
If the target is running any version of macOS Catalina 10.15.6 or earlier, even if SIP is enabled, the malware will exploit a vulnerability to cause the TCC daemon to load a database that CloudMensis can write to.
According to the report, companies running updated MacBooks with SIP enabled are protected against CloudMensis, but it points out other malware strains targeting TCC that can be deployed in macOS environments.
These families included Bundlore, Callisto, the BlueBlood keylogger, and unspecified novel macOS Trojans that have not yet been tagged by VirusTotal.