{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/synthetic-events/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2017-7150"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["critical"],"_cs_tags":["macos","synthetic events","privilege escalation","defense evasion"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThis brief discusses a class of vulnerabilities on macOS that can be exploited through the programmatic generation of synthetic mouse events. These vulnerabilities allow attackers to bypass security mechanisms designed to protect user privacy and system integrity. The report references historic malware examples abusing synthetic events like OSX.FruitFly and OSX.DevilRobber, discusses CVE-2017-7150, and highlights unpatched 0-day vulnerabilities as of 2018. Attackers can manipulate UI prompts, including security alerts, privacy requests, and the \u0026ldquo;User Assisted Kernel Loading\u0026rdquo; interface, enabling malicious activities such as keychain theft, geolocation tracking, and unauthorized kernel extension loading. The core issue lies in the OS trusting synthetic events originating from internal processes or specific input methods like \u0026ldquo;Mouse Keys\u0026rdquo;. This creates a significant attack surface, particularly on older macOS versions, where protections against synthetic events are incomplete.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eGain initial access to the macOS system through an unspecified method (e.g., exploiting a separate vulnerability, social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker programmatically enables \u0026ldquo;Mouse Keys\u0026rdquo; via AppleScript, using \u003ccode\u003eSystem Preferences\u003c/code\u003e to reveal the \u003ccode\u003ecom.apple.preference.universalaccess\u003c/code\u003e pane and then sending synthetic mouse clicks to enable the feature.\u003c/li\u003e\n\u003cli\u003eThe attacker moves the mouse cursor to a target UI element (e.g., an \u0026ldquo;Allow\u0026rdquo; button on a security prompt) using \u003ccode\u003eCGEventCreateMouseEvent\u003c/code\u003e to create a mouse move event.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u0026ldquo;synthetic\u0026rdquo; keyboard event with keycode 87 (numberpad 5) via AppleScript, triggering a mouse click due to \u0026ldquo;Mouse Keys\u0026rdquo; being enabled.\u003c/li\u003e\n\u003cli\u003eThe OS converts the keyboard event into a trusted mouse click, bypassing protections on the target UI component.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the bypassed UI prompt to perform unauthorized actions, such as dismissing privacy alerts related to geolocation access.\u003c/li\u003e\n\u003cli\u003eThe attacker programmatically accesses sensitive data (e.g., geolocation information) that would normally require user consent.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data or uses the elevated privileges to further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass macOS security mechanisms, potentially impacting a large number of users. Attackers can steal sensitive information like keychain data, access private user data (geolocation, contacts, calendar), and load malicious kernel extensions without user consent. This can lead to complete system compromise, data theft, and persistent malware infections. The report highlights that privacy-related alerts can be trivially bypassed, raising serious concerns about user data protection. The ease of exploitation, especially with \u0026ldquo;Mouse Keys,\u0026rdquo; makes this a critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for processes enabling \u0026ldquo;Mouse Keys\u0026rdquo; via AppleScript or command-line tools; create a Sigma rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e events targeting \u003ccode\u003eosascript\u003c/code\u003e executing commands related to \u003ccode\u003ecom.apple.preference.universalaccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDetect the use of \u003ccode\u003eCGPostMouseEvent\u003c/code\u003e or \u003ccode\u003eCGEventCreateMouseEvent\u003c/code\u003e API calls, especially when combined with AppleScript execution, to identify potential synthetic event generation.\u003c/li\u003e\n\u003cli\u003eAudit and monitor processes accessing sensitive user data (geolocation, contacts, calendar) after the execution of AppleScript or CoreGraphics functions, to identify potential exploitation of synthetic event vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of AppleScript commands that simulate key presses (e.g., \u003ccode\u003ekey code 87\u003c/code\u003e) especially following mouse movement events, as this may indicate abuse of the Mouse Keys feature.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-synthetic-reality/","summary":"macOS is vulnerable to synthetic mouse event attacks, allowing threat actors to bypass security mechanisms and interact with protected UI components to perform unauthorized actions like dumping keychains and loading kernel extensions.","title":"macOS Synthetic Mouse Event Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-24-synthetic-reality/"}],"language":"en","title":"CraftedSignal Threat Feed — Synthetic Events","version":"https://jsonfeed.org/version/1.1"}