SecPro #28: Macaw Ransomware — a fight against AV; Getting to the Apple Core with Shrootless

In today’s issue:

•  Macaw Ransomware — a fight against AV
•  Getting to the Apple Core with Shrootless
•  Recent Security Issues
•  Secret Knowledge: Building Your Security Arsenal

Ransomware

Macaw Ransomware — A Fight Against AV
By Joe Anich

Back in October, hah, seems like yesterday but in the cyber world that might as well be a year. Back in October of this year, we started seeing reports of a new ransomware called Macaw Ransomware which seemed to align with the SocGholish framework. Which if you’re not familiar with that one, it’s where users can encounter sites that have malicious payloads embedded and are enticed to install fake software updates that are embedded in the site. That workflow looks like the figure below for Macaw Ransomware fight AV:

The SocGholish framework is essentially able to deliver any payload the attacker wants, however, the most commonly seen is dropping files that later help enable human-operated ransomware, in particular the WastedLocker family. If you read into the threat behavior of this ransomware, and honestly like many of them, one of the first things it does is disable your antivirus. This is actually what we will key in on in just a bit, in today’s article.

During the initial stages of these attacks, the exploitation of CVE-2020-1472, or the Netlogon EoP vulnerability, seemed to be at the center. Where Mimikatz was used to take advantage of the way secure channel connections to a domain controller can be improperly established using the netlogon remote protocol, later dubbed ZeroLogon.

Once the attacker gains this initial access, they look to spread out across the environment, often seen using WMI or dropped tools like PsExec. After gaining access to a device, they use living off-the-land binaries (LOLBIN) like MSBuild to set up C2 channels. As they move, getting closer to high-value targets they continue to dump LSASS via malicious DLL that injects into svchost.exe and add to their list of compromised accounts. Once they have acquired an account that gives them the access needed, they start gathering information. When they find something of value, exfiltration starts, typically with a utility called MegaSync.

How to Defend Against Macaw Ransomware – fight AV

The next step in the attack is preparing for ransom. Now that the threat actor has exfiltrated what they wanted, they now start looking to break down defenses like antivirus, firewall, SmartScreen, and other security devices. Another thing we see is the addition of AV exclusions for .bat and .exe, and specifically for defenders, they change defenders’ settings to allow threats regardless of the threat level they’re detected as. As you can imagine this stage of the attack includes a trove of additional activities to increase the success of ransoming the environment, but let’s pivot and talk about the tampering aspect and the controls available to help combat this. At face value, Defender AV and Defender for Endpoint (EDR) both detect files and activity related to the Macaw ransomware attacks, however that’s never enough and additional protections should always be implemented, they call it defense-in-depth for a reason.

First off is Tamper protection, which helps prevent things like:

• Disabling virus and threat protection
• Disabling real-time protection
• Turning off behavior monitoring
• Disabling cloud-delivered protection

The goal is to lock Microsoft Defender Antivirus to the values they were configured to, preventing the settings from being changed through methods like:

• Configuring settings in Registry Editor on your Windows device
• Changing settings through PowerShell cmdlets
• Editing or removing security settings through Group Policy

This should be something you look at enabling immediately if you have not. Check out the docs to learn more about the settings and how you can deploy them in your environment.

• Protect security settings with tamper protection | Microsoft Docs

A few other things I would look at enabling on the Defender AV (MDAV) side would be Block at First Sight, which is a feature of MDAV that detects new malware and blocks it within seconds when encounters a suspicious but unfamiliar file. It will immediately query the cloud protection backend, applying heuristics, machine learning, and automated analysis of the file to determine if it needs to be blocked or not. Learn more about this by visiting the public documentation.

• Enable block, at first sight, to detect malware in seconds | Microsoft Docs

Lastly, attack surface reduction rules should also be on your list of things to enable. There are many rules of value but the two that comes to mind in this context are the two below:

• Block persistence through WMI event subscription. This helps against file-less attacks that threat actors use to stay hidden and being seen in the file system.
• Block process creations originating from PSExec and WMI commands. This rule helps block processes that are created through PsExec as well as WMI from running on the system.

One note on the second one is if you have your devices managed by SCCM you may need to run in audit mode as you can break the SCCM client. Reading how the ransomware can remotely make changes, you can see how these would be beneficial!

Exploits & Vulnerabilities

Getting to the Apple Core with Shrootless

By Austin Miller

Having previously sold itself as the OS that needs no antivirus, macOS has faced some considerable challenges this year from threat actors. If you’ve not been paying attention, you might have missed these key weaknesses in recent weeks:

• Shrootless (CVE-2021-30892), identified by Microsoft; a critical vulnerability in SIP that allows an adversary to hijack the protected installation process and install harmful malware at a kernel level.
• A watering hole attack that played on iOS and macOS exploits (CVE-2021-30869), a sophisticated attack that was launched mainly on Hong Kong Apple users.

The Shrootless exploit shows an alarming vulnerability in the root level that allows malicious actors to bypass the built-in root defense, SIP. With that in mind, here’s how the Microsoft 365 Defender Security Research Team leveraged the weakness to gain access to filesystems and kernel access usually forbidden to macOS users.

What is System Integrity Protection (SIP)? 

Because not everyone is used to using macOS products, SIP needs to be defined.

System Integrity Protection (SIP) is defined by Apple as:

“…a security technology in OS X El Capitan and later that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac”.

In real terms, it is a security technology that stops threat actors from gaining root access and damaging necessary files that compromise the overall health of the system.

The technology is managed by two variables:

• csr-active-config, a bitmask of the protections, and
• csr-data, the store for netboot configurations

How Does Shrootless Circumvent SIP?

Shrootless is a series of exploits that bypass system integrity protection, allowing a malicious actor to edit a variety of settings, including:

• csr_allow_untrusted_kexts, allowing a threat actor to load untrusted kernel extensions
• csr_allow_unrestricted_fs, giving threat actors access to previously inaccessible filesystem locations
• csr_allow_unrestricted_nvram, opening up the controls to the NVRAM

Microsoft discovered that there was an exploit in the functionality of system_installd, or rather that the daemon allowed an adversary to access its com.apple.rootless.install.heritable entitlement.

This list would become the basis of the Shrootless exploit

What is the Adversary’s Goal?

By accessing system_installd, an adversary gains root-level access to a system running macOS. By exploiting how Apple signed packages, a threat actor could overwrite system files, insert specially crafted malicious files, and completely sidestep the SIP filesystem restrictions.

Using Post-Install Scripts

Whenever a .pkg is downloaded to a system running macOS, system_installd handles the package. Although SIP would usually intervene when malicious files attempt to modify the system, the above vulnerability in system_installd allows for malicious post-install scripts to be bundled in with an otherwise legitimate installation package.

Exploiting Apple’s default shell, zsh, a threat actor can insert a snippet of malicious code. Microsoft’s POC contained the following algorithm:

Microsoft’s explanation of the algorithm used in the Shrootless exploit

Although this exploit was fairly simple, it granted access to files that can cause serious damage to macOS products when handled improperly.

Using /etc/zshev, the Microsoft Security Vulnerability Research Team was able to add post-install scripts to a legitimate .pkg file, resulting in this exploit:

Shrootless arbitrary code that was added via the /etc/zshev method

If the Microsoft team could add this code, what would stop a malicious actor doing worse?

This simple intervention was harmless to the actual health of the system running macOS. But by using the above exploit, a malicious attacker would have access to the kernel and system files. This means that an adversary could overwrite system files, delete necessary defences, and easily bypass system integrity protection (SIP).

Leveraging an Attack

Somewhat more concerning from a security perspective, everyone who could use /etc/zshev also has access to ~/.zshev. This similar function gives the same access as the former function,  but it doesn’t need root permission at all!

Whereas the malicious /etc/zshev file exploit would only come to light in an unlikely situation where an adversary already has root access, ~/.zshev allows anyone to edit the file system and potentially load a malicious kernel driver.

Because this latter exploit allows a malicious actor to bypass SIP protections with minimal efforts, this was a much more serious vulnerability. Thankfully, this was patched in the most recent back of Apple Software Updates, meaning that macOS users only need to update their systems to stop this worrying exploit.

How Do I Protect My Macbook? 

If you are using macOS Catalina or later, you are at potential risk (if you are using an earlier version, you’re at risk of other vulnerabilities, though)! Because the Microsoft 365 Defender Research Team inform the Apple security team promptly, this issue has been patched before it became an issue at all.

To stop an adversary before they can perform arbitrary operations on your system and potentially destroy your kernel, update your system to the most recent set of patches (October 26th, 2021). Then you can rely on SIP to protect your system at a root level.

More macOS Vulnerabilities

If Shrootless isn’t enough for you, here are a few other vulnerabilities that came to light this year in iOS and macOS devices that are worth investigating by people with hacking on the brain:

• CVE-2021-30869, an exploit that was used in a watering hole attack against Hong Kong iOS and macOS users
• CVE-2021-30916, an exploit across the Apple ecosystem that allows a malicious actor to corrupt files due to a memory handling error, potentially allowing access to the kernel
• CVE-2021-30909, almost a combination between the above exploit and Shrootless, allowing threat actors to execute arbitrary code at a kernel level

For more news, check out the Apple macOS X Security Vulnerabilities page to keep up to date with the known errors for devices in the Apple ecosphere.

Recent Security Issues 

 GoDaddy’s recent data breach, which affected 1.2 million customers, also affected several other WordPress service sellers. The resellers who fell prey to this massive breach include tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe. The attack was caused by breaching GoDaddy’s provisioning system for managed services.

 Common cloud misconfigurations exploited in minutes. Poorly configured cloud services can be exploited by threat actors in minutes and sometimes in under 30 seconds. Researchers at Unit 42 used a honeypot infrastructure of 320 nodes deployed globally in which they misconfigured key services within a cloud – including remote desktop protocol (RDP), secure shell protocol (SSH), server message block (Samba), and Postgres database.

 The UK passes a new law for IoT smart devices. The Product Security and Telecommunications Infrastructure (PSTI) Bill insists that manufacturers should adhere to the new security standards and be transparent to customers of how they resolve a security issue to provide the best service for the consumers. Otherwise, they need to pay huge fines such as £10 million or 4% of their global turnover, or up to £20,000 a day or would curb their product supply altogether.

 IBM: 2022 Cybersecurity Predictions

Following are some of the key findings from IBM’s research:

1. More data breaches are expected through the network infiltration hacking technique
2. Triple extortion ransomware will be a raising concern where one business’s attack would turn into extortion for its partners
3. Cybercriminals would use Blockchain technology to obfuscate their malicious moves

When working on bug bounty programs, it is always best to hunt in a way that involves the least competition. One way of doing this is to focus on payload delivery methods or web vulnerabilities that are often missed. The bug types listed here are not crazy hacker secrets, but you should look for some of them!

 Secret Knowledge: Building Your Security Arsenal

Discover useful security resources, cheatsheets, hacks, and open-source CLI/web tools.

• Cloud Security 
•  AzureHunter – A cloud forensics Powershell module to run threat hunting playbooks on data from Azure and O365.
•  Set Alternate Contacts across the AWS Organization – This script will update all the Alternate Contacts for all accounts in an AWS Organization.
•  dco – A GitHub integration that enforces the Developer Certificate of Origin (DCO) on Pull Requests.

• HTTP Networks 
•  htrace.sh – is a simple Swiss Army knife for http/https troubleshooting and profiling.
•  siege – is an http load testing and benchmarking utility.
•  SlowHTTPTest – is a tool that simulates some Application Layer Denial of Service attacks by prolonging HTTP.

Hardening 

•  DevSec Hardening Framework – Security + DevOps: Automatic Server Hardening.
•  AppArmor – proactively protects the operating system and applications from external or internal threats.
•  grapheneX – Automated System Hardening Framework.

The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.