{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/microphone/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS Mojave","QuickTime Player","FaceTime"],"_cs_severities":["medium"],"_cs_tags":["macos","webcam","microphone","applescript","tcc"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eIn June 2018, a bypass was discovered in the macOS Mojave (10.14) beta (18A293u) that allowed unauthorized access to the microphone and webcam, despite Apple\u0026rsquo;s claims of new data protections requiring user permission. The bypass leverages applications with existing entitlements to access the microphone and camera, such as QuickTime Player and FaceTime. By utilizing AppleScript to control these applications, malicious actors can record audio and video without triggering the expected permission prompts. This circumvents the intended security enhancements designed to prevent surreptitious access to sensitive user devices. While Apple stated that the final version of macOS Mojave would mitigate this attack, the initial beta release was vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts an AppleScript designed to interact with QuickTime Player.\u003c/li\u003e\n\u003cli\u003eThe AppleScript uses QuickTime Player\u0026rsquo;s built-in recording capabilities.\u003c/li\u003e\n\u003cli\u003eThe AppleScript initiates a new movie recording via QuickTime Player.\u003c/li\u003e\n\u003cli\u003eThe AppleScript sets a delay to record audio and video for a specified duration.\u003c/li\u003e\n\u003cli\u003eThe AppleScript pauses and saves the movie recording to a file.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the AppleScript using \u003ccode\u003eosascript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eQuickTime Player, due to its existing entitlements, accesses the webcam and microphone without prompting the user for permission.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the saved recording containing audio and video captured without user consent, potentially exfiltrating this data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in macOS Mojave beta allowed unauthorized access to a user\u0026rsquo;s webcam and microphone, potentially enabling surveillance without their knowledge or consent. While the number of affected users during the beta phase is unknown, the potential for privacy violations was significant. Successful exploitation could result in the compromise of sensitive information, including personal conversations and visual data. This can lead to reputational damage, blackmail, or other malicious activities targeting the victim.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;osascript Execution Spawning QuickTime\u0026rdquo; Sigma rule to detect the execution of osascript to run AppleScripts that control QuickTime Player.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003eosascript\u003c/code\u003e with arguments that point to suspicious \u003ccode\u003e.scpt\u003c/code\u003e files using the \u0026ldquo;Suspicious AppleScript Execution via osascript\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and file creation events to facilitate the detection of malicious AppleScripts and their execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:15:00Z","date_published":"2024-01-09T18:15:00Z","id":"/briefs/2024-01-macos-mojave-webcam-bypass/","summary":"macOS Mojave beta's new privacy controls can be bypassed by exploiting the entitlements of trusted applications like QuickTime Player via AppleScript to access the webcam and microphone without user consent.","title":"macOS Mojave Beta Webcam and Microphone Access Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-mojave-webcam-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Microphone","version":"https://jsonfeed.org/version/1.1"}