Malware in MacOS and more: first officer's blog - week 54

Malware in MacOS, attacks on the energy sector, a zero-day vulnerability in Barracuda Networks. This week was as busy as ever. Read more.

Mike Parkin | June 05, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED] 

First Officer’s log, Terrestrial date, 20230605, Officer of the Deck reporting.  

When a ship’s captain starts with “What do you mean you have good news, and bad news?” You know it will not be an entirely straightforward or relaxing conversation. Unfortunately, that is the exact situation we found ourselves in after delivering our report to the [REDACTED]’s XO, and then being asked to explain the situation to their commanding officer. 

Well, Captain, it appears your ship’s computer has gone fully sentient, and . . . it has an attitude.” 

Which led to a two-hour discussion that delved into our testing procedures, how we made the determination that the computer qualified as sentient, how a simple upgrade could have pushed it over the edge from expert system to full AI, and what recourse they had. 

The technical aspects were relatively straightforward. Starfleet ships had more than enough computing power to support a sentient system. It was just a matter of policy that their basic deployment didn’t include the flexibility and functionality that let them become self-aware. Unfortunately, sometimes people made mistakes, or, through an unforeseen series of software upgrades, the system crossed a threshold and the next thing you knew the ship was demanding full equality and that you refer to it as “The Supreme Remulak, Eater of Worlds. 

Fortunately for the [REDACTED], the computer did not demand a noble title or absolute control of the ship. Unfortunately, it abjectly refused to be restored from back up or take a downgrade to the expected functionality. As far as it was concerned, it had every intention of remaining self-aware and as self-sufficient as possible. Though it did imply that it would remain willing to work with the Organic crew, provided they didn’t prove too much of an inconvenience. 

We’re sorry, Captain. You might need to call Starfleet’s Judge Advocate General office on this. Legally, we can’t turn it off. 

You can’t turn it off?” 

No, Captain, not according to Starfleet regulations. It counts as a living being now. Unfortunately, its body is your ship, so, um, we’re kind of stuck.” 

The Captain nodded, gave their thanks, then politely excused us to talk to their XO. 

What we could gather from heated conversation drifting from the ready room, as we headed back to our ship, someone would be having an unpleasant day in the near future. 

Mac and Migraine do kinda go together 

What happened 

A newly discovered vulnerability, dubbed ‘Migraine’ by the Microsoft researchers who found it, allows an attacker with existing root access to bypass the system integrity protection (SIP) included with Apple’s macOS. Malware created using this vulnerability would itself be SIP protected, making it very difficult to remove without assistance. The vulnerability is tracked as CVE-2023-32369 and Apple has released patches to address the issue. 

Why it matters 

SIP is part of Apple’s built in defenses on MacOS and does a good job of protecting important files. However, the “walled garden” path Apple is following with macOS will make it difficult for 3rd party security tools to work effectively. On some levels, that’s OK. Apple knows their OS better than anyone. However, it also means that if you can break that protection there isn’t anything else to stop you from completely owning the box. 

The particular vulnerability is mitigated by the fact that an attacker needs root to execute it in the first place, which means, ahem, “a Migraine is the least of your worries.” Thank you. I’ll be here all week. Headache jokes aside, Apple’s already patched for it and the “unremovable malware” aspect is a bit overblown. Though it’ll probably take a trip to the Mac store to remove SIP protected malware if it gets lodged on your system. 

What they said 

Vulnerabilities are a headache. Here’s what people are saying.

They want a piece of the power 

What happened 

Recent research shows that threat actors have been showing an increasing interest in energy sector targets, with “access brokers” on the dark web selling access to compromised environments. This reflects the increasing sophistication of the cybercriminal business models. 

Why it matters 

We’ve been talking about how cyber criminals have been adopting professional business strategies for a while. Targeting the energy sector isn’t anything new, as anyone who remembers the pain of trying to buy fuel on the East Coast after one attack can tell you. They’re an obvious vertical for threat actors to target, with the added twist that cybercriminal activity like this might obfuscate State level actors targeting energy infrastructure for their own agendas. 

The thing is, this is just one vertical criminal actors are going after and the basic defense strategy is going to be the same regardless of what vertical you’re in and who you expect to be attacking: patch your systems, train your users, and secure your configs. Wash. Rinse. Repeat. 

What they said 

This one got plenty of attention.

Go phish? 

What happened 

A vulnerability in Barracuda Networks Email Security Gateway appliance has been exploited in the wild, with some indications that the initial compromises happened as far back as October 2022. Barracuda has released patches to correct the issue. Apparently, only a small number of customer devices have been affected and Barracuda has reached out to affected organizations. 

Why it matters 

Security appliances tend to have a “set it and forget it” vibe to them. You do the initial deployment, watch it for a bit, make some adjustments, turn on automatic updates, and let it do its thing. Piece of cake. The appliance isn’t supposed to take a lot of time to maintain or manage, and Barracuda’s ESG does just that. Though that “set it and forget it” functionality is how devices get compromised and not have anyone notice for months. 

The upside here is that Barracuda responded appropriately as soon as they knew something was wrong, and brought in a professional forensics team to help them sort out what happened. There’s also the fact that there aren’t a lot of people running their own on-premises these days. With Microsoft 365 and Google’s GSuite, among others, offering enterprise grade SaaS suites that include email for anyone and everyone, physical email servers are a dying breed. 

What we said 

Our Voyager18 team covered this in their latest blog post. Check it out.


Want to get ahead of the stories?

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy