This month, MITRE will be adding two sub-techniques to its ATT&CK database that have been widely exploited by North Korean threat actors.
Both TCC manipulation and phantom DLL hijacking have allowed North Korean hackers to gain privileged access into macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.
One way North Korean advanced persistent threats have been breaching Macs lately is via TCC, an essential framework for controlling application permissions.
The former is protected with permissions - a user would require Full Disk Access, or something similar - and the latter by System Integrity Protection, a feature first introduced with macOS Sierra.
Theoretically, privileges and SIP are guards against malicious TCC access.
When SIP is switched off, or FDA on, attackers have a window to access the TCC database and grant themselves permissions without alerting the user.
There are a number of other ways to potentially get through TCC, too.
Some sensitive directories such as /tmp fall outside of TCC's domain entirely.
The Finder app has FDA enabled by default, and it's not listed in the user's Security & Privacy window, meaning that a user would have to be independently aware and manually revoke its permissions.
Attackers can also use social engineering to direct users in disabling security controls.
A number of malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal.
Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and CloudMensis by APT37 doggedly tries to identify where SIP is disabled in order to load its own malicious database.
Dark Reading contacted Apple for a statement regarding TCC abuses and received no reply.
To block attackers taking advantage of TCC, the most important thing is keeping SIP enabled.
Short of that, Liang highlights the need to know which apps have what permissions in your system.
Phantom DLL Hijacking Besides TCC vulnerabilities, APAC-area threat actors have been exploiting an even stranger flaw in Windows.
For some reason, the operating system references a number of DLL files that don't actually exist.
They can simply create their own malicious DLLs with the same name, and write them to the same location, and they'll be loaded by the operating system with nobody the wiser.
The Lazarus Group and APT 41 have used this tactic with IKEEXT, a service necessary for authentication and key exchange within Internet protocol security.
Until Windows rids itself of phantom DLLs, Liang highly recommends companies run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 11 Apr 2024 20:05:31 +0000