A New Apple Supply Chain Compromise #gatekeeper

Hackers are leaving no stone unturned when it comes to scouring systems and software for an attack vector. Usually, an adversary is looking for one-off anomalies at the low-end of computer programming, the 1’s and 0’s. A buffer overflow, a protocol fuzzing, some kind of byte-level trickery. Nothing so brazen as a supply chain attack. These attacks are swift, trusted, often skipped during antivirus and malware scanning. Last week I read about a terrible new Apple supply chain compromise.

The Digital Supply Chain

  • Manipulation of development tools
  • Manipulation of a development environment
  • Manipulation of source code repositories (public or private)
  • Manipulation of source code in open-source dependencies
  • Manipulation of software update/distribution mechanisms
  • Compromised/infected system images (multiple cases of removable media infected at the factory)
  • Replacement of legitimate software with modified versions
  • Sales of modified/counterfeit products to legitimate distributors
  • Shipment interdiction

This official list is missing one important category in my mind:
A collective conscious decision to allow auto-updates and to entrust basic functions to a familiar player. Usually, the type of software mentioned is assumed to be free from defects or malicious code. We expect that it’s reviewed, inspected, and properly vetted through the Software Development Life cycle phases and kept in good shape.

It’s open source, there’s millions of eyes looking at it. How could anything bad slip through a million eyes?

Said everyone who has never cracked open LibSSL or glibc libraries to review code.

Some previous Examples

CCleaner” – a legitimate software that many users install to clean unwanted files and keep your system in top shape. It did a great job until 2.27 million customers were informed that the software installed backdoors to target Samsung, Sony, Asus and Fujitsu. If memory serves, it was based on the MAC address of specific target devices, including CEO (C-suite) laptops and tablets.

Dell Support Assist Tool (May 2019) Everyone who has a dell has this software pre-loaded on the OS. Very few people remove them, cause, hey, it’s useful, right? Remote code execution.

Certificate-Signed Software

Software we just simply trust. Software that is signed with a certificate by a holder (Microsoft/Apple/Facebook) that is beyond reproach. Software that is so trusted that even AntiVirus and AntiMalware suites don’t review it. Instead they skip files deemed “not a threat” and leave them untouched.

How about “when the use of cerficate-signed software prevents the installation of antivirus” !!! Based on the alteration of the User Account Control in Windows, this malware prevents users from installing certain security products, by copying digital certificates that are used to sign antivirus programs to the Untrusted Certificates in Windows. It also keeps adding them back as untrusted if their status changes.

Repository Compromise ( Docker Hub )

Imagine pinning every system you own, deploy, and use on a publicly available repository, and merging that repository to your private code stored on a third party service. A nightmare. 30 days ago, 190k users were informed of a terrifying proposition.. someone had breached their Docker repo, and if you had Docker’s autobuild feature enabled, the attack surface could shift from difrectly tampering with the official image on Docker Hub to a cascading line of access on Bitbucket or GitHub. Folks, use private registries to host the “important” stuff , you know, like your client’s Personally Identifiable Information.

.. unless you have a developer program that grabs a component of itself from an untrusted repository!

And finally, a New Compromise courtesy of Apple’s Software Delivery Mechanism.

Gatekeeper bypass enforces code signing and verifies downloaded applications before allowing them to run.


…easily bypass Gatekeeper in order to execute untrusted code without any warning or user’s explicit permission.

Filippo Cavallarin

Also I’m a little stunned about Filippo’s treatment. I reached out but don’t expect a reply for a while.

Best Practices to The Rescue.

Fillippo lists a workaround right there:

  1. Edit /etc/auto_master as root
  2. Comment the line beginning with ‘/net’
  3. Reboot

But that’s just a band-aid. Best practices should prevent this behaviour from occuring in the first place.

  1. firewalls and network traffic policy review. Should a user be able to make an NFS share to a device beyond the perimeter?
  2. endpoint reporting (like sysmon) into a SIEM to review software installation
  3. software acceptance tests. Internally review the software image and application approval lists.
  4. Periodically review software installation and communication behaviour. Sandbox software and incorporate a periodic re-certification for use in your environment.
  5. Policy. Who’s installing software, who’s choosing it, and what are the merits of it?

RiPPUL is Here To Help.

RiPPUL is an Information and Security company based in York Region, Ontario, Canada.  We offer a variety of security services including Consulting, CyberSecurity Technology Solutions, and 24×7 Monitoring and Emergency Support.