CTI Roundup: Microsoft Finds a macOS Bug That Lets Hackers Bypass SIP Root Restrictions

First up this week, CTI investigates an IBM X-Force report on the new ‘Sphynx’ variant of the notorious BlackCat/ALPHV ransomware. Next, CTI explores Microsoft’s discovery of a vulnerability that enables attackers with root privileges to bypass macOS’ System Integrity Protection (SIP) checks and install ‘undeletable’ malware. Finally, CTI wraps things up with a look at a recent report from Group-IB detailing the latest activity attributed to the threat actor tracked as Dark Pink.

1. Improved BlackCat ransomware strikes with lightning speed and stealthy tactics

A new IBM Security X-Force Team report details major updates in the BlackCat/ALPHV ransomware operation. The upgrades include improvements to the ransomware’s speed, stealth, and exfiltration capabilities.

What is BlackCat?

• CTI considers BlackCat one of the top ransomware and extortion threats facing organizations today.
• Threat actors primarily use BlackCat to target the government, education, manufacturing, hospitality, and healthcare sectors.
• BlackCat attempts to work a double-extortion angle into its attacks. Stolen data is usually posted on the gang’s official leak site as a way of increasing the pressure to pay on its extortion victims.

As the author of the IBM report explains, BlackCat switched to the Rust programming language in 2022 — a decision likely influenced by the customization opportunities that the language offers, as well as its usefulness in making detection and analysis of the malware more difficult.

A year and a half since it is thought to have entered the cyber threat landscape, the BlackCat group shows no signs of slowing. BlackCat/ALPHV is consistently ranked among the most profitable of the top-tier ransomware-as-a-service (RaaS) offerings that populate the cyber threat landscape, jockeying with other top extortion groups, such as LockBit, for the lion’s share of ransom payments.

What is Sphynx?

Sphynx is a powerful new BlackCat variant which comes packed with a “number of updated capabilities that strengthen the group’s efforts to evade detection,” according to IBM’s X-Force analysis.

From IBM Security X-Force:

X-Force has observed BlackCat affiliates continue to hone their operations in order to increase the likelihood of successful impact, namely data theft and encryption. Attackers automated the data exfiltration portion of the operation using ExMatter, a custom malware capable of ‘melting’ (self-deletion). In addition, the BlackCat group recently released a new version of their ransomware, dubbed Sphynx, with upgraded capabilities meant to thwart defensive measures.

ExMatter is a .NET data exfiltration tool which, according to IBM X-Force, is exclusively used by one BlackCat ransomware affiliate cluster, tracked by Microsoft as DEV-0504. With regards to BlackCat’s previously mentioned upgraded evasive capabilities, the Sphynx version of BlackCat now features junk code and encrypted strings; improvements intended to hamper detection and analysis. The command-line arguments passed to the binary have also been subjected to a complete overhaul — something that sets it apart from its previous variants.

While earlier iterations leveraged the access token parameter to execute, the latest version removes that parameter entirely, placing a set of more complex arguments in its place. This was likely done to make the ransomware harder to detect, as security professionals now lack standard commands for which they may carry out hunt activities.

This is unsurprising, as the BlackCat gang itself claims that the malware was rewritten entirely from scratch, with the stated priority of this update being “to optimize detection by AV/EDR.”

February 21st, 2023, ALPHV ransomware group informed their affiliates of a new ‘product’ update.

Their new ransomware variant is named Sphynx. pic.twitter.com/zIIpEvTwfP

— vx-underground (@vxunderground) April 20, 2023

Also setting the new variant apart from its forebearers is the addition of the BlackCat Sphynx Loader.

From The Hacker News:

Sphynx also incorporates a loader to decrypt the ransomware payload that, upon execution, performs network discovery activities to hunt for additional systems, deletes volume shadow copies, encrypts files, and finally drops the ransom note.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“BlackCat clearly owes its longevity and profitability to its ability to continuously reinvent itself, each time improving the features and functionality that enable the malware to evade detection and bypass security mechanisms.”

“As security professionals, we must remain equally adaptable. CTI will continue to monitor this threat for any significant developments, providing updates as warranted.”

2. Microsoft finds a macOS bug that lets hackers bypass SIP root restrictions

A team of Microsoft security researchers have discovered a vulnerability that enables attackers with root privileges to bypass System Integrity Protection (SIP) and install ‘undeletable’ malware. Attackers may also access victims’ private data by circumventing Apple’s Transparency, Consent, and Control (TCC) security measures.

What to know about CVE-2023-32369

The security flaw — dubbed Migraine by Microsoft and tracked as CVE-2023-32369 — centers around SIP technology in macOS.

From Microsoft:

SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits.

SIP — or rootless — prevents potentially malicious software from altering certain folders and files by imposing restrictions on the root user account and limiting its capabilities within certain protected areas of the operating system. It works under the guiding principle that only processes signed by Apple — or those possessing special entitlements — should be allowed to access or alter macOS’ protected components.

Discovery and exploitation

Microsoft’s researchers discovered the vulnerability and the technique they used to bypass SIP’s usual restrictions during routine malware hunting. Microsoft’s researchers focused their attention on system processes which are signed by Apple and feature the “com.apple.rootless.install.heritable entitlement.”

Using this methodology, the researchers uncovered two child processes that could be manipulated to the point that the researchers were able to gain arbitrary code execution while also bypassing SIP’s checks.

SIP and entitlements

As Microsoft explains, SIP locks down the system from the root by using the Apple sandbox. This helps protect the platform, similarly to how SELinux protects Linux systems.

“One of the most dominant features of SIP is the filesystem restriction capability, which protects entire files and directories from being overridden,” Microsoft explains. “The files and directories that are protected by SIP by default are commonly ones that are related to the system’s integrity.”

Furthermore, there is no way to disable SIP on a live system other than via the recovery OS — a method which requires physical access to the device. Therefore, a SIP bypass is a vulnerability allowing a remote user to bypass its restrictions. Microsoft posits two such examples of such a bypass being achieved, either by bypassing SIP restrictions to write to SIP-protected directories or by creating a SIP-protected file.

Next, we come to macOS entitlements, which Apple’s documentation describes as “a right or privilege that grants an executable particular capabilities.”

There is no way to forge these entitlements, as they are employed extensively by Apple to enforce security within macOS and are granted to very specific processes.

What’s important to understand about these entitlements is that when they are granted to a process, that process is allowed by design to bypass SIP’s security checks.

From Microsoft:

One particularly interesting entitlement is the com.apple.rootless.install.heritable entitlement that allows the process and the entire process tree rooted under it to bypass filesystem-based System Integrity Protection security enforcements.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“As Microsoft explains, there are serious implications associated with arbitrary SIP bypass — mostly having to do with the significant potential for malware authors to create essentially undeletable code.”

“Microsoft breaks down the implications in a convenient list. They include creating undeletable malware, expanding the attack surface, and more. Check them out here.”

“Apple has since patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, released two weeks ago, on May 18.”

3. Dark Pink hackers continue to target government and military organizations

A recent report from Group-IB details the latest activity attributed to the threat actor tracked as Dark Pink, a hacking group considered to be an advanced persistent threat (APT) which lately has been observed targeting government, military, and education organizations in Indonesia, Brunei, and Vietnam — adding five new organizations in three countries to the group’s victimology. The Dark Pink hacking group has reportedly been active since at least mid-2021, primarily engaging in attacks on various entities across the Asia-Pacific (APAC) region.

The report describes a new, advanced threat actor capable of leveraging custom malware in support of its efforts to steal confidential information from government agencies and military bodies in multiple countries located in the APAC region.

Boasting a toolkit containing bespoke malware, Dark Pink has also been observed spreading malware via USB drives and leveraging DLL side-loading and event-triggered execution methods to run its payloads on compromised systems.

Now, in what can be considered a sequel to its previous January 2023 report, Group-IB has documented the hacking group’s latest activity in a blog post titled “Dark Pink back with a bang: 5 new organizations in 3 countries added to victim list.”

Back with a bang

According to the latest research, Group-IB’s analysts claim to have discovered five new Dark Pink victims.

Additionally, the geographic scope of the group’s operations appears to be considerably wider than previously assessed — a finding evidenced by the fact that entities located in Brunei, Thailand, and Belgium were subjected to cyberattacks attributed to Dark Pink.

From Group-IB:

Continued analysis has revealed that this group is still active, as Dark Pink attacked a government ministry in Brunei this past January and a government agency in Indonesia as recently as April 2023. Additionally, Group-IB researchers were able to attribute three other attacks from 2022 to this particular APT group.

Key takeaways

• Spear-phishing remains the group’s initial access avenue of choice.
• The group’s arsenal (which was made up almost entirely of custom tools designed to exfiltrate files and messenger data, as described in Group-IB’s previous report) is still in use by Dark Pink. Many of the tools have received significant upgrades.
• Many of these upgrades help Dark Pink’s operators remain undetected and evade various automated defensive cybersecurity measures.
• Research carried out by Group-IB’s Threat Intelligence unit resulted in the discovery of a new Dark Pink account on GitHub. Further analysis revealed that the account was created almost immediately after information about the hacking group was disclosed to the public in January. This GitHub account enables Dark Pink’s operators to issue commands to compromised systems.
• Recent Dark Pink attacks have involved the exfiltration of stolen data over the HTTP protocol using the Webhook service, while also leveraging functionalities of an MS Excel add-in to aid in establishing the persistence of TelePowerBot (a simpler version of KamiKakaBot, written in PowerShell).
• Dark Pink also uses PowerShell commands to check for legitimate software and development tools on compromised devices, in hopes of discovering resources that the attackers may abuse to further their operations.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Group-IB’s research suggests that the Dark Pink APT is a highly active threat actor, committed to the continuous development of its custom arsenal and focused on expanding its operations — both location and industry-wise.”

“As Group-IB points out, ‘APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception.’”

“The recent expansion of the group’s targeting pattern and its devotion to improving its anti-analysis/anti-detection capabilities should be of concern to security professionals, and, while not yet tied to a specific government or nation-state, Dark Pink should be considered a significant threat.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.