Get in Touch
System integrity bypass discovered in macOS devices
Target Industry
Indiscriminate, opportunistic attacks.
Overview
Microsoft researchers have recently discovered a vulnerability within macOS that can allow threat actors to bypass the security feature system integrity protection (SIP) that prevents certain files within the directory from being modified.
The new vulnerability, which has been named ‘Migraine’, works by using the ‘systemmigrationd’ process as it is entitled to the permissions required to bypass SIP checks after an attacker has gained root access. Once SIP has been bypassed, malicious files can be injected that are made to be unmodifiable and thus cannot be removed by a scanner even if detected.
Migraine’ was disclosed to Apple through Coordinated Vulnerability Disclosure (CVD) and has since been fixed by a security update and is now tracked.
Impact
If successfully executed the vulnerability could be used to create persistent malicious files that cannot be removed or quarantined. The exploit could also be used to leverage further attacks from code executions or root kits. This level of exploitation could lead to long-term damage or loss of critical operational systems and the launching of large-scale attacks leveraging the access gained from the attack which could cause substantial financial costs and loss of employment.
Vulnerability Detection
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as Migraine. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.
Affected Products
macOS.
Containment, Mitigations & Remediations
As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention of potential attacks from a wide range of threats in real time.
All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Threat Landscape
Although it has been believed for a long time that the macOS system was safe because it was targeted by less sophisticated attacks, this has been proved wrong with emerging threats in the past few years. A rise of powerful attacks, specifically targeting macOS devices, have been on the rise due to the increase of users on macOS and these users not implanting cyber security best practices cyber security considerations, despite Apple devices being less susceptible.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Privilege escalation
T1548 – Abuse Elevation Control Mechanism
Defence evasion
T1055 – Process Injection
Further Information
New macOS vulnerability, Migraine, could bypass System Integrity Protection
