Rise in corporate Mac use invites more sophisticated hacking

Posted:
in macOS

Hackers are developing more complex, cross-platform tactics to take advantage of the ever increasing Mac user base, and the latest targets the TCC framework.

A person's hands typing on a laptop with green matrix-style code on the screen, placed on a white surface.
The Mac's increasing popularity is a blessing and a curse



The Mac's reputation for strong security is a valuable asset and a concerning liability. As more companies adopt the platform, it becomes a bigger target for hackers.

macOS's security architecture includes the Transparency, Consent, and Control (TCC) framework, which aims to protect user privacy by controlling app permissions. However, recent findings from Interpres Security show that the TCC can be manipulated to make Macs vulnerable to attack.

The TCC framework manages app permissions in macOS to safeguard sensitive information and system settings. Unfortunately, vulnerabilities within TCC allow unauthorized access to the system.

Hackers are increasingly targeting corporate users such as developers and engineers using tactics like social engineering.

TCC has had past exploits and shortcomings, including direct modifications of its database and exploiting weaknesses in system integrity protections. In previous versions, hackers could gain secret permissions by accessing and modifying the TCC.db file.

Apple introduced System Integrity Protection (SIP) to counter such attacks in macOS Sierra, but even SIP has been bypassed. For instance, in 2023 Microsoft discovered a macOS vulnerability that could entirely circumvent System Integrity Protection.

Apple has addressed some of these issues through security updates, but Interpres Security warns that attackers, like the North Korean Lazarus Group, continue to focus on Macs in corporate environments.

Besides TCC, Finder is also a potential attack vector. Finder, by default, has access to Full Disk Access without appearing in Security & Privacy permissions, remaining hidden from users.

If Terminal access is granted to Finder, it becomes permanent unless manually revoked. Thus, an actor could exploit Finder to gain control over the Terminal and secure disk access.

How to stay safe against TCC abuse



Specific strategies can be implemented to protect macOS systems from TCC abuse. Always keep System Integrity Protection on and update the operating system to address vulnerabilities.

Additionally, implementing the principle of least privilege by corporate IT departments can limit user and application access rights. That's the method of ensuring each user only has the permissions needed to do their job.

It's also crucial to conduct regular security awareness training to educate users about phishing attempts and other common tactics used in social engineering attacks. Systems are only as secure as their weakest link, which is usually human error.



Read on AppleInsider

Comments

  • Reply 1 of 4
    StrangeDaysStrangeDays Posts: 12,920member
    Ok more Mac users in corp world yeah (we’re one of them now, woot!). But - OS X was never less prone to attack due to “security by obscurity”. It was less prone because it’s a harder system. 

    Case in point, legacy Mac Systems had more viruses than modern OS X / macOS. Fewer users, more viruses. 
    byronlAlex1Nwatto_cobra
  • Reply 2 of 4
    cincyteecincytee Posts: 410member
    Hackers are increasingly targeting corporate users ... using tactics like social engineering.
    The weakest security link is always users, especially in big companies.

    byronlAlex1Nwatto_cobra
  • Reply 3 of 4
    ... OS X was never less prone to attack due to “security by obscurity”. ...
    Maybe not obscurity but the smaller user base definitely plays a factor in the amount of effort attackers put into attacking MacOS users. Attackers go where the money is and that's corporate users who have historically been more likely to use other operating systems.
    dewme
  • Reply 4 of 4
    StrangeDaysStrangeDays Posts: 12,920member
    CeeBuck said:
    ... OS X was never less prone to attack due to “security by obscurity”. ...
    Maybe not obscurity but the smaller user base definitely plays a factor in the amount of effort attackers put into attacking MacOS users. Attackers go where the money is and that's corporate users who have historically been more likely to use other operating systems.
    That is the definition of security by obscurity. But like I said, legacy Mac Systems from yesteryear had more viruses than macOS despite much fewer users. Or another, iOS — extremely large user base, much more so than corporate Mac user base, and very secure. If “As more companies adopt the platform, it becomes a bigger target for hackers” were cause for concern by itself, we’d be seeing these attacks already. 
Sign In or Register to comment.