Executive Summary

Open Sources Intelligence (OSINT) conducted by Black Arrow Cyber have identified a number of threats against the Apple ecosystem, with some threats reported to have nation state involvement. It is important to highlight that any internet-abled product can be a target for attackers, therefore appropriate protective controls should always be considered for all devices, especially those that are used to directly access sensitive information.

MacOS “Migraine” Vulnerability

Recently, Microsoft revealed a new macOS vulnerability dubbed “Migraine” (CVE-2023-3269) which impacts vulnerable apple devices which run macOS. The vulnerability allows an attacker with root access, which is the highest level of permissions to bypass the built in security protections, gaining remote code execution and the ability to create undeletable malware, tamper with the integrity of systems and expand the attack to the rest of the network. Apple has released a security patch which addresses this vulnerability, further details can be found at the bottom of this post.

iOS “Operation Triangulation”

Reports have identified a new mobile state-sponsored advanced persistent threat group that has been targeting iOS devices as part of an attack campaign labelled “Operation Triangulation”. the campaign is carried out using an invisible iMessage with a malicious attachment, which when executed on a device installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers; this includes microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device. This trojan is targeting middle and upper management staff with the only workaround currently being a complete reset of the device.

Complex toolkit with files allowing backdoor capabilities targeting macOS

Bitdefender researchers have recently discovered a set of malicious files that are part of a sophisticated toolkit targeting Apple macOS systems. This malicious attack allows an attacker to gather system information, run commands, download and execute files on the victim’s machine, and to terminate the exploit script. The malicious files predominantly target macOS Monterey (version 12) and newer.

Growing Malware Threats to macOS

In addition to this, additional growing threats to macOS have been recorded in the wild. This includes:

- Threat actor groups Lazarus and BlueNoroff have been using malware dubbed “RustBucket” in financially motivated attacks to target users and steal victim’s data.  

- Reports identifying ransomware gangs, including the infamous Lockbit, developing encryption that targets macOs, specifically their M1 chips. There is no current working version of this malware.

- A rise in the use of XCSSET malware, which exploits multiple zero-days found in the Apple safari browser to download a developer version of the app on the target’s device giving it access to data from other apps such as Skype, Telegram, notes, and screen recorders.

-  An increase in the use of malware-as-a-service (MaaS), such as Atomic macOS Stealer which is capable of stealing passwords, credentials, cookies, browser data, auto-fills, and other important information and MacStealer, which extracts information from compromised systems.

- The well known 3CX attack in which the state-sponsored APT’s had altered the MacOS version of the 3CX desktop client to deliver further malware, and exfiltrate it.

Mac Vulnerabilities

Looking at the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue, there have been 36 actively recorded exploits relating to devices running macOS devices since 2021.  

What’s the risk to me or my business?

An organisation which excludes the security of any asset, relying on reputation or built-in protections alone, is leaving themselves open to potential compromise of the confidentiality, integrity and availability of the data which is held on the asset and is accessed through the asset, which includes Apple devices. Such assets include devices that are purchased by the organisation to be used as corporate devices and those that are personally owned by employees being used as part of Bring Your Own Device schemes.

What can I do?

Endpoint Protective Technologies and Security Hardening including anti-malware, Firewalls and detective solutions should be considered for all endpoints, including those that run Windows, macOS, Linux, Android and iOS.

Organisation should ensure that their asset registers are up to date and include all assets which hold or access organisational information. The better view an organisations has of its attack surface, the greater their cyber resilience will be. This should be supplemented with an effective threat intelligence programme, allowing organisations to keep up to date with emerging threats.

Further information can be found here:

macOs “Migraine” Vulnerability: https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

Lockbit Encryptors found targeting macOS: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/

iOS Operation Triangulation: https://usa.kaspersky.com/blog/triangulation-attack-on-ios/28444/

6 Growing Malware Threats to macOS: https://www.darkreading.com/endpoint/top-macos-malware-threats-proliferate

Malicious Files with Backdoor targeting macOS attack: https://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity