MITRE to Add Two New Sub-Techniques Exploited by North Korean Threat Actors to ATT&CK Database
In the world of cybersecurity, MITRE has announced the addition of two new sub-techniques to its ATT&CK database that have been commonly exploited by North Korean threat actors. These techniques have allowed hackers to gain privileged access into macOS and Windows environments, enabling them to carry out espionage and other malicious activities.
The first sub-technique involves the manipulation of Transparency, Consent, and Control (TCC), a security protocol that regulates application permissions on Apple’s macOS. Although not entirely new, this technique has been utilized by North Korean hackers to breach Mac systems, taking advantage of vulnerabilities in the TCC framework.
The second technique, known as “phantom” dynamic link library (DLL) hijacking, is a lesser-known subset of DLL hijacking that targets Windows systems. In this method, hackers exploit referenced but nonexistent DLL files within the Windows operating system, allowing them to load their own malicious DLLs without detection.
Marina Liang, a threat intelligence engineer at Interpres Security, explains that North Korean threat actors are opportunistic and have been targeting macOS due to its increasing popularity. By exploiting vulnerabilities in TCC and phantom DLLs, these hackers have been able to bypass security measures and gain unauthorized access to sensitive systems.
To combat these threats, security experts recommend keeping System Integrity Protection (SIP) enabled on macOS and deploying proactive application controls on Windows systems. By staying informed about app permissions and exercising the principle of least privilege access, users can help prevent unauthorized access to their systems.
As cybersecurity threats continue to evolve, it is crucial for organizations to stay vigilant and implement robust security measures to protect their sensitive data from malicious actors.