April 11, 2024 at 04:09PM
MITRE is adding two new techniques to its ATT&CK database due to exploits by North Korean threat actors. One technique involves TCC manipulation on Apple’s macOS, enabling privileged access for espionage. The other technique, phantom DLL hijacking on Windows, involves exploiting nonexistent DLL files. Both have been used by North Korean hackers for breaches and post-exploitation activities.
Key takeaways from the meeting notes:
– MITRE will be adding two techniques to its ATT&CK database that have been exploited by North Korean threat actors: TCC manipulation on Apple’s macOS and phantom DLL hijacking in Windows.
– TCC manipulation involves exploiting the Transparency, Consent, and Control (TCC) security protocol on macOS to gain unauthorized permissions.
– Phantom DLL hijacking takes advantage of nonexistent DLL files referenced by the Windows operating system to load malicious DLLs, allowing for unauthorized access.
– Both techniques have been used by North Korean threat actors for espionage and other post-exploitation actions.
– Solutions to mitigate these vulnerabilities include keeping SIP enabled on macOS to block TCC abuses and running monitoring solutions and deploying proactive application controls to block remote loading of DLLs in Windows.
– Threat intelligence engineer Marina Liang emphasizes the importance of being aware of app permissions in the system and practicing the principle of least privileged access to protect against TCC manipulation.
– The meeting also mentioned reaching out to Apple and Microsoft for clarifications on TCC abuses and phantom DLLs, respectively, with no response received from Apple.