11/22/2024 | News release | Distributed by Public on 11/22/2024 22:55
Executive Summary
In this article, we explore various lateral movement techniques for macOS, some of which are specific to macOS while others are shared by other operating systems. We'll also provide real-world examples to illustrate these methods and discuss detection opportunities.
This article will discuss the use of the following techniques to carry out lateral movement:
Lateral movement refers to the techniques cyberattackers use to navigate through a network after compromising an initial system. This phase is crucial for attackers to achieve their ultimate objectives, which might include data exfiltration, persistence or further system compromise.
While much focus has historically been on lateral movement in Windows environments, macOS is not immune to these tactics. Moreover, its use in attacks is a growing trend.
Palo Alto Networks customers are better protected from the threats discussed in this article through our Cortex line of products.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Exploiting SSH Keys: Theft and Unauthorized Access
What Are SSH Keys?
Secure Shell keys are a pair of cryptographic keys used for secure authentication between a client and a server over a network. SSH keys typically consist of a private key kept secure on the client and a public key placed on the server. The keys are placed in the .sshdirectory within a user's home directory on a macOS host.
Common uses of SSH keys include:
Misuse of SSH Keys by Attackers
Lateral Movement via SSH Key Theft
Attackers can deploy keyloggers to capture keystrokes to, for example, steal passphrases for SSH keys. Attackers might also try to exfiltrate SSH keys, either by stealing the entire .sshdirectory with its contents or by copying the key files aside and then use the stolen keys to exfiltrate additional data.
The cases we describe in the following sections provide examples of attempts for key theft.
Cobalt-Strike Beacon Dropped by Malicious Python Package
In 2021, attackers targeted Baidu search engine users with trojanized versions of tools such as iTerm2, SecureCRT and Navicat. Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not imply that the legitimate product itself is flawed or malicious.
The malware, known as ZuRu, downloaded and executed a Python script for reconnaissance and credential stealing. Figure 1 below shows how this Python script collects information such as bashand zshhistory files, the /etc/hostsfile, system keychain and contents of the .sshdirectory. The script then exfiltrates the collected data using curl.
PyTorch ML Framework Compromised Using a Malicious Dependency
In December 2022, a popular machine learning framework named PyTorch announced it had fallen victim to a supply chain attack using a method called dependency confusion. In this attack, threat actors compromised one of the framework's dependencies named torchtriton, leading to the execution of malicious code.
The compromised dependency would deploy a malicious binary responsible for stealing system information, including the contents of the .sshdirectory, which it then uploaded to an attacker-controlled C2 server. While the primary focus and reports were on Linux, the general nature of dependency confusion and the cross-platform nature of Python meant that macOS systems using the affected package could also be impacted.
SSH-Snake Tool Used for Automatic Network Traversal
Another example of SSH key exploitation is SSH-Snake, a sophisticated tool that automates the exploitation of SSH keys to enable lateral movement within a network. This tool essentially acts as a worm, automating and executing the process repeatedly.
This tool is designed to perform the following activities:
Planting SSH Keys in Authorized_keys
Once attackers have access to a system, they can plant their public keys in the authorized_keysfile to maintain persistent access. The authorized_keysfile is a crucial component in SSH authentication.
This file is used to configure which SSH public keys are allowed to access a particular user account on a server. It is typically located in the .sshdirectory within a user's home directory on the machine (e.g., /home/username/.ssh/authorized_keys).
This file contains a list of public keys granted access to the user's account. When a user attempts to log in via SSH using a key pair, the SSH server checks the corresponding public key against the entries in the authorized_keysfile. If a match is found, access is granted without requiring a password.
Insekt Malware Appends Attacker SSH Keys to Authorized_keys File
In October 2022, researchers discovered Insekt malware, which is a payload served by the Alchemist attack framework. This threat targets Windows, Linux and macOS. Its capabilities include listing the contents of the .sshdirectory on a victim's machine and adding the attackers' SSH keys to the authorized_keysfile, enabling them to establish a trusted connection to the machine.
Here are our recommendations for what activities organizations should look for that could help detect suspicious activity:
Apple Remote Desktop (ARD)
ARD is a comprehensive remote management tool used to administer and manage macOS hosts within a network. It allows for software distribution, remote assistance, system administration and asset management. To deploy ARD, administrators can install the Apple Remote Desktop app on their own Mac, which they can purchase from the Mac App Store.
The client component is built into macOS, requiring only activation and configuration through the Sharing section of the macOS System Preferences pane. Clients can be added to the ARD admin list by entering their network address or through automated network scanning and discovery via Bonjour.
Figure 4 shows an example of the interface for the ARD administrator app.
Key Legitimate Uses of ARD
The following are the key legitimate uses of ARD:
How Can Attackers Leverage ARD?
Generally, ARD has to be manually enabled to be available for use on a machine. This can be done by enabling Remote Management via the Advanced Sharing configurations in System Settings. It is not enabled by default.
In cases where it is not enabled, attackers have used SSH to run the kickstart command shown in Figure 5, which can enable remote management.
The flags in the above example activate the Remote Management service on the system, which enables ARD. The flags then configure the Remote Management settings to allow access and management of all users. In addition, this kickstart command grants all possible privileges for control via the Remote Management over the users on the machine.
Notable privileges allow the ARD administrator to perform the following activities on remote machines:
In addition, ARD includes features allowing:
Once an attacker achieves access to an administrator machine running the ARD administrator application, they obtain powerful centralized access to all connected machines. Additionally, their actions might seem more legitimate than events stemming from other methods used by attackers, such as an SSH connection.
On a machine running the ARD administrator application, it's easier for an attacker to hide their tracks. In terms of known usage in the wild, attackers have used ARD screen-sharing functionality for lateral movement.
The advantages an attacker might find in ARD over other methods for lateral movement such as SSH include:
Here are our recommendations to help organizations detect suspicious activity:
Remote Apple Events
RAE is part of the Apple Event Manager framework, which provides a standardized way for applications to communicate with each other using Apple Events over a network. This feature leverages the Apple Events scripting architecture to perform tasks remotely.
RAE allows applications on macOS to expose and execute specific functions over a network. When an application wants to support RAE, it must first register the functions it wants to make available. This is done through the Apple Events API.
Essentially, the application sets up a handler for each event identifier, defining what action should be taken when that event is received. Once these handlers are registered, remote clients can send Apple Events with the corresponding identifiers to invoke the specified functions. This setup enables remote interaction with the application, allowing it to be controlled or automated from other systems over the network.
To use RAE, the Remote Application Scripting feature must be enabled in the Sharing settings under System Preferences.
AppleScript is a scripting language that allows users to write scripts to automate tasks. AppleScripts can send Apple Events to local or remote applications to execute specific actions.
RAE can be sent using AppleScript. The tellcommand is used to specify the target machine, application and commands for the application to perform. Figure 6 shows an example of this.
The script in Figure 6 above showcases how to perform file operations on a remote machine using AppleScript and RAE. The specified text is written to a file on a remote macOS machine.
This script first sets up the connection details for the remote machine using the EPCC protocol to send RAE over a network, specifying the username, password and IP address. This establishes a communication channel between the local and remote machines over TCP port 3031 using the eppc://URL scheme, and it requires authentication using a username and password for valid users on the machine.
This activity ensures that only authorized users can send commands to the remote machine. The script then defines the relevant file details. Within a tellblock addressed to the Finder application of the remote machine, the script opens the file for access with write permission, writes the specified content and then closes the file.
How Can Attackers Leverage RAE?
While RAE and the EPPC protocol have legitimate uses, malicious actors can also exploit them for lateral movement within a network. If RAE is not enabled, the attacker can enable them by executing commands with administrative privileges in a terminal:
Here's how attackers might leverage these technologies for malicious purposes:
Remote Command Execution
Using compromised credentials, attackers can execute AppleScript commands to control applications on other machines within the same network as shown below in Figure 7.
This script defines the path and content of a malicious shell script, then writes and executes it on a remote machine using Finder and Terminal applications over a RAE connection. The Finder application on the remote machine opens the specified file for writing, writes the malicious content to the file and closes it.
After a short delay, Finder uses the Terminal application on the remote machine to make the script executable and then runs it. This sequence effectively plants and executes a potentially harmful script on the targeted machine.
Automation Scripts
Attackers can write sophisticated AppleScripts to automate malicious tasks on multiple machines. For instance, they could script data exfiltration or the deployment of additional payloads as shown below in Figure 8.
Persistence
To maintain persistence, attackers can use RAE to schedule tasks or create login items on remote machines. For example, this can be done as shown in Figure 9.
Once connected, the script executes a command in the remote Terminal to load a malicious LaunchAgent (com.malware.plist). By using launchctl load -w, the attacker ensures the malicious agent is loaded and marked for persistent execution, making it automatically start on subsequent user logins or system reboots.
Here are our recommendations for what activities organizations should look for that could help detect suspicious activity:
Conclusion
Lateral movement on macOS involves a variety of techniques, from exploiting SSH keys to more unique ones leveraging legitimate native management tools. Each method leverages different aspects of macOS's architecture and features to gain access and maintain persistence. Understanding these methods and studying real-world examples helps in developing efficient defenses to protect macOS environments from future threats.
It is evident that macOS is not immune to lateral movement techniques used by cyberattackers. The real-world examples presented in this document serve as a stark reminder of the importance of implementing robust security measures to protect macOS environments from malicious lateral movement activities.
Through Cortex XDR, Palo Alto Networks customers receive better protection from different lateral movement techniques, including Behavioral Threat Protection and a Local Threat Evaluation Engine. Customers can further use our XQL Cortex Query Language to hunt for suspicious activities in their networks. The Appendix for this article contains helpful examples of XQL queries to hunt for lateral movement in a macOS environment.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Appendix
Examples of XQL queries helpful in hunting for lateral movement in a macOS environment are available at our GitHub repository.
Additional Resources