Rise in corporate Mac use invites more sophisticated hacking

Hackers are developing more complex, cross-platform tactics to take advantage of the ever increasing Mac user base, and the latest targets the TCC framework.

The Mac's reputation for strong security is a valuable asset and a concerning liability. As more companies adopt the platform, it becomes a bigger target for hackers.

macOS's security architecture includes the Transparency, Consent, and Control (TCC) framework, which aims to protect user privacy by controlling app permissions. However, recent findings from Interpres Security show that the TCC can be manipulated to make Macs vulnerable to attack.

The TCC framework manages app permissions in macOS to safeguard sensitive information and system settings. Unfortunately, vulnerabilities within TCC allow unauthorized access to the system.

Hackers are increasingly targeting corporate users such as developers and engineers using tactics like social engineering.

TCC has had past exploits and shortcomings, including direct modifications of its database and exploiting weaknesses in system integrity protections. In previous versions, hackers could gain secret permissions by accessing and modifying the TCC.db file.

Apple introduced System Integrity Protection (SIP) to counter such attacks in macOS Sierra, but even SIP has been bypassed. For instance, in 2023 Microsoft discovered a macOS vulnerability that could entirely circumvent System Integrity Protection.

Apple has addressed some of these issues through security updates, but Interpres Security warns that attackers, like the North Korean Lazarus Group, continue to focus on Macs in corporate environments.

Besides TCC, Finder is also a potential attack vector. Finder, by default, has access to Full Disk Access without appearing in Security & Privacy permissions, remaining hidden from users.

If Terminal access is granted to Finder, it becomes permanent unless manually revoked. Thus, an actor could exploit Finder to gain control over the Terminal and secure disk access.

How to stay safe against TCC abuse

Specific strategies can be implemented to protect macOS systems from TCC abuse. Always keep System Integrity Protection on and update the operating system to address vulnerabilities.

Additionally, implementing the principle of least privilege by corporate IT departments can limit user and application access rights. That's the method of ensuring each user only has the permissions needed to do their job.

It's also crucial to conduct regular security awareness training to educate users about phishing attempts and other common tactics used in social engineering attacks. Systems are only as secure as their weakest link, which is usually human error.