Hackers have a new way to disable Mac security software

Macworld

Researchers at XM Cyber have discovered a method to attack a Mac without requiring a kernel exploit or bypassing macOS’s System Integrity Protection (SIP). XM Cyber has created a tool called XM Hunter as proof of the vulnerability, which will be demonstrated at the Black Hat conference in August.

To take advantage of the exploit, an attacker needs to find a way to access the Mac, either by directly accessing it, or through social engineering. The attack itself involves the installation of a legitimately signed app, and when macOS caches the app’s trust fingerprint, the attacker can go in and modify the app bundle with a malicious payload. According to the company, the attack “does not trigger standard exploit signatures or leave obvious event log artifacts.”

XM Cyber reports that the exploit could be used even with enterprise endpoint security tools running on the target Mac, and Macs running CrowdStrike Falcon Sensor and Kandji MDM Agent were successfully hacked. CrowdStrike and Kandji have since updated their software to fix the vulberability. Apple has not publicly responded to XR Cyber’s findings.

A CrowdStrike spokesperson sent the following statement to Macworld: “The technique exploits a macOS issue, and we have detections and preventions in place for the Falcon sensor.”

How to protect yourself

The easiest way to protect yourself from an attack like this is to avoid downloading software from download sites you are not familiar with. Do not install software for someone you don’t know or someone who is not authorized to provide support to you. Never open links in emails or texts you receive from unknown and unexpected sources. If you get a message that looks like it is from an entity that you do business with, check the sender’s email address and inspect the URL carefully. If you see a link or button, you can Control-click it, select Copy Link Address, and then paste it into a text editor to see the actual URL to check it there.

Apple has vetted software in the Mac App Store, and it is the safest way to get apps. If you prefer not to patronize the Mac App Store, then buy software directly from the developer and their website. If you insist on using cracked software, you will always risk malware exposure.

Macworld has several guides to help, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and trojans, and a comparison of Mac security software.

Apple has protections in place within macOS, and the company releases security patches through OS updates, so it’s important to install them when they are available. If Apple pulls back an update, the company will reissue it as soon as it is properly revised with corrections.