Objective by the Sea 5.0 Highlights

Objective by the Sea (OBTS) is the world’s premiere Apple security research conference. This year’s event, OBTS v.5, was held in Barcelona. The talks were technical, but as in years past they contained valuable insights for everyday Mac users. Here are some of the highlights:

The evolution of Mac malware

Thomas Reed, a macOS security researcher, discussed the macOS threat landscape as it has evolved over the years.

Reed notes that modern Mac malware has a number of features that, although not new, had been relatively uncommon in the past: things like malware with viral behavior, or malware that uses code obfuscation techniques to evade detection.

In terms of the most prevalent macOS security and privacy threats nowadays, Reed says that there are a large number of Mac backdoors—and that many of these backdoors are written in hard-to-detect custom code. The Mac landscape today is also “awash” in potentially unwanted programs (PUPs), says Reed—which may be a more serious threat than most users realize. In addition, he points out that today’s Mac adware, a longtime threat to macOS, is often more sophisticated than other types of Mac malware.

Takeaway: As Macs gain market share among home users as well as in the enterprise, threat actors will continue to up their game and incorporate more sophisticated features into their malware. Mac users should be aware of the risks and follow best practices for macOS app safety.

A tour of iOS malware 

Matthias Frielingsdorf presented on iOS malware in his talk “In Walled Gardens be Careful of Poisoned Apples.”

Frielingsdorf says that “iOS malware was previously seen more as a problem of jailbroken iPhones,” but that there is now no doubt that powerful malware exists on iOS. He provided an overview of 0-click and 1-click malware variants on the platform, as well as malware that makes its way onto iPhones via sideloading. He touched on Pegasus spyware and Hermit spyware and explained the distinctions between iOS malware and iOS jailbreaks. Throughout his presentation, Frielingsdorf also stressed how challenging it can be for security researchers to gain a full picture of malware activity on iOS (which is why Mac security researchers have always been wary of Apple’s attempts to lock down macOS as they have with iOS).

Takeaway: Frielingsdorf’s presentation is a good reminder that the “walled garden” of iOS is not immune to malware, despite the fact that it’s generally very secure. For this reason, iPhone users should take precautions to protect themselves—in particular, by enabling automatic updates and taking advantage of new iOS 16 security features like Rapid Security Response.

When macOS opens the gate

Security researchers Jaron Bradley and Ferdous Saljooki gave a presentation entitled “Bombastically Abominating Bomshellz,” which detailed two macOS Gatekeeper bypasses.

Gatekeeper is a macOS security feature designed to ensure that all apps run on the Mac are safe. Bradley described a bug in the logic that Safari uses to evaluate zip files—a vulnerability (CVE-2022-22616) that allowed unsigned and unevaluated apps to be downloaded and automatically unzipped on a Mac, bypassing Gatekeeper’s security checks. Bradley and Saljooki then gave an example of how a bad actor could weaponize this vulnerability to run malware on a Mac. The second vulnerability (CVE-2022-32910) had to do with the way Mac handles archive files. Apple Insider explains the impact of the vulnerability well: It could have allowed a bad guy to sneak a malicious application onto a Mac as an archive file, “bypassing Gatekeeper and all security checks upon opening with a double click.”

Takeaway: Gatekeeper and other native macOS security tools offer a level of basic protection on a Mac. But they are not immune to flaws and bypasses. Mac users should exercise caution when downloading any app from the Internet—only running files from known, trusted developers or from the Mac App Store. In addition, using a robust, regularly updated Mac security app is highly recommended! 

A game of cat and mouse

Csaba Fitzl, a security trainer and accomplished macOS bug hunter, spoke about vulnerabilities in the macOS Endpoint Security framework. 

Fitzl’s talk, “The Achilles heel of EndpointSecurity,” explained the security impact of one of Endpoint Security’s key features. To quote his abstract:

All EndpointSecurity clients require the user to provide Full Disk Access rights. If this permission is not granted, the client can’t register and operate. While this is a preventive control for installing such software, it turns out to be the “Achilles heel” of the entire concept. Once this permission is revoked, the client becomes non-functional, and thus trivial to disarm.

He explained how this principle led to a number of bypasses of Transparency, Consent, and Control (TCC), a macOS security framework designed to give users greater insight into and control over what apps are doing on the system. Interestingly, Fitzl showed how a resourceful attacker could often work around Apple’s mitigation for a bypass, leading to a new bypass that required a new mitigation!

Takeaway: Users should be aware that there is no such thing as “perfect” or “final” security. macOS vulnerabilities and exploits will always be a cat-and-mouse game between attackers and Apple security teams. Previously patched vulnerabilities may be exploited later on using new techniques. For this reason, it’s important to enable automatic updates and Rapid Security Response so you’ll always have access to the latest security mitigations. It’s also important to remember that since no platform is ever 100% secure, this means that you, the user, are the best defense against attackers! 

Go, RAT. Go!

Patrick Wardle, Mac malware researcher, author, and founder of Objective by the Sea, gave a presentation entitled “Making oRAT Go.”

Wardle’s talk provided a deeper analysis of the new oRAT APT malware. The malware, discovered in April, was still not very well understood—mainly because researchers hadn’t been able to observe it in action. Interestingly, oRAT also uses the Go programming language, which added another level of difficulty to the work of analysis. 

Wardle showed how he managed to activate a sample of the malware by connecting it to a command and control (C&C) server that he set up. Although somewhat unfamiliar with Go, he was eventually able to get the malware up and running, at which point he began giving it commands in order to see what it could do. 

As it turned out, oRAT had the ability to gather information about a compromised Mac, exfiltrate data and upload it to the C&C server, carry out port scanning, and self-delete in order to cover its tracks. 

Takeaway: The malware sample analyzed by Wardle wasn’t particularly sophisticated, but the fact that it used Go presented unusual challenges. In general, oRAT underscores the trend of Mac malware authors experimenting with new tactics and new techniques—and points to the likely evolution of Mac malware in the future. 

Learning more about Apple security 

There were many other interesting talks at this year’s Objective by the Sea—too many to cover in a single blog post! For video of the talks, check out the OBTS YouTube page. To learn more about the conference and this year’s speakers, see the Objective by the Sea website. If you’d like to support the OBTS, you can do so at Objective-See.org.