NEWS

MITRE is adding two sub-techniques to its ATT&CK database, exploited by North Korean hackers. One involves manipulating Transparency, Consent, and Control (TCC) on macOS to gain privileged access.

TCC, protected by permissions and System Integrity Protection (SIP), can be undermined when SIP is disabled or FDA is granted. Attackers exploit this by manipulating TCC or directing users to disable security controls. To mitigate, keeping SIP enabled is crucial, and users should be aware of app permissions and practice least privilege.

Another technique, “Phantom” DLL hijacking on Windows, involves exploiting nonexistent DLL references. Hackers create malicious DLLs with the same name, which are then loaded by the operating system. Threat actors like Lazarus Group and APT41 have used this tactic. Mitigation strategies include monitoring solutions, proactive application controls, and blocking remote DLL loading. Windows Server offers a feature to block remote DLL loading by default.

These techniques highlight the adaptability and opportunistic nature of North Korean threat actors, who focus on both espionage and revenue generation. With macOS gaining popularity, attackers exploit vulnerabilities like TCC manipulation. Similarly, the presence of phantom DLLs in Windows provides attackers with a stealthy method for executing malicious code.

To combat these threats effectively, organizations must adopt a multi-layered approach to security. This includes maintaining awareness of permissions and security controls, especially concerning critical components like TCC on macOS and DLL loading on Windows. Additionally, implementing proactive monitoring solutions and deploying controls to block unauthorized DLL loading are essential defensive measures.