body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp.

Follow

Patrick Wardle

@patrickwardle

Founder of the Objective-See Foundation

Maui, HIobjective-see.orgJoined October 2013

Patrick Wardle’s Tweets

Pinned Tweet

RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) 🍎🐛☠️ One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized" ...let's dive in! 1/n 🧵

14

248

592

Show this thread

And speaking of the

supply chain attack, I'm stoked at the opportunity to talk more about this at

@BlackHatEvents

🤩 Specifically diving into the technical details of the three unique macOS payloads used in what many are calling the first "chained" supply chain attack🍎🐛🐛

Quote Tweet

The @3CX supply chain attack resulted in trojanized installers signed w/ @3CX's Dev ID which were then naively notarized by @Apple

TIL, Apple did not revoke @3CX's signing cert just the notarization ticket of the installer(s)

So technically they're still validly signed

Show this thread

3

11

Link to WYS's code implementing notarization ticket checks: github.com/objective-see/ Note: Not an "Apple approved" approach as SecAssessmentTicketLookup isn't part of the public SDK. But (AFAIK) there isn't an "official" way to check ticket status what are we supposed to do?! 😅

WhatsYourSign/WhatsYourSignExt/FinderSync/Signing.m at efedb19e68b52062ca1af3e5c53fbf599fa12b10 ·...

WhatsYourSign adds a menu item to Finder.app. Simply right-, or control-click on any file to display its cryptographic signing information! - WhatsYourSign/WhatsYourSignExt/FinderSync/Signing.m at ...

3

11

Show this thread

I've implemented this in the latest version of "What's Your Sign" (WYS) WYS is a free open-source tool that adds a menu item to Finder, allowing you to right-/control-click on any file to display its code signing/notarization status 🔐 Tool/Source code: objective-see.org/products/whats

1

4

9

Show this thread

But, what if you want to check an items status programmatically? You can use the undocumented SecAssessmentTicketLookup API, passing in the item's truncated SHA256 cdhash. If the API fails, and the error is EACCES, you know the ticket has been revoked!

1

1

7

Show this thread

Of course, macOS also checks the notarization status before running an item, and thus will now prevent the infected installers from running, as the ticket has been revoked. You can manually check the notary status of an item via spctl -a -vv <path> or stapler validate <path>

1

1

4

Show this thread

The

supply chain attack resulted in trojanized installers signed w/

's Dev ID which were then naively notarized by

🤦🏻‍♂️ TIL, Apple did not revoke

's signing cert just the notarization ticket of the installer(s) 👀 So technically they're still validly signed 🔐

3

19

63

Show this thread

Patrick Wardle Retweeted

📌 MacPaw Experts' Top Security Apps: • MetaImage

• Pareto Security

• BlockBlock

• TaskExplorer

• Wireshark

• Endurance

6

13

Show this thread

Patrick Wardle Retweeted

Objective-See Foundation

Tickets for #OBTS v6.0 are sold out, so registration is now closed 🎟️🙈 You can still procure a ticket if: 1️⃣ You come give a talk 2️⃣ You sign up for a training 3️⃣ Your company is a "Friend of Objective-See"

4

14

Really stoked about the amazing programs we're able to support via "Objective-We" 🥰 Thanks again to

, our sole platinum-level "Friend of Objective-See" for their vision, support & commitment to the

Foundation and "Objective-We" program 🙏🏽

Quote Tweet

Objective-See Foundation

Our "Objective-We" program (objective-see.org/we.html) is working to make the macOS space more inclusive & accessible to everyone!

Thru this program we're funding scholarships for @ekoparty's Hackademy (ekoparty.org/hackademy/) Big mahalo to our (platinum) supporter @KandjiMDM

2

16

Patrick Wardle Retweeted

Objective-See Foundation

Our "Objective-We" program (objective-see.org/we.html) is working to make the macOS space more inclusive & accessible to everyone! 🥰 Thru this program we're funding scholarships for

's Hackademy (ekoparty.org/hackademy/) Big mahalo to our (platinum) supporter

6

14

Patrick Wardle Retweeted

Josh Long (the JoshMeister)

@theJoshMeister

Thanks to all the great presenters! If you’d like to follow anyone mentioned in the article, here are those on Twitter (“Show more” to see the full list):

@HeatherMahalik

… Show more

5

15

Show this thread

Patrick Wardle Retweeted

Josh Long (the JoshMeister)

@theJoshMeister

I just updated my #RSAC 2023 highlights article with video embeds/links to each presentation that I featured—and added a few more. (

uploaded all their videos to YouTube this week.) Check out my RSA Conference coverage here ⬇️

Highlights from RSA Conference 2023: AI, Malware, and More - The Mac Security Blog

At RSA Conference 2023 in San Francisco, some of the hot topics included the rise of AI-related attack techniques, malware, and software supply chain attacks. Here are my top takeaways for users of...

1

4

12

Show this thread

Patrick Wardle Retweeted

Howard Oakley, Eclectic Light Co

Bastion in defence of Sonoma security eclecticlight.co/2023/06/10/bas via

eclecticlight.co

Bastion in defence of Sonoma security

In Ventura, Apple has been introducing more behavioural detection and protection. This is only going to expand in Sonoma. Here’s what it promises.

9

17

Patrick Wardle Retweeted

In this guide, we used the intentionally vulnerable iOS application known as DVIA-2 to show how sensitive information can be missed when performing app security assessments. Take a deeper look at databases for #iOS applications and how they work.

How to Assess iOS Database Storage Security With Corellium

When conducting a mobile app security assessment, it’s critical to test iOS database storage. See how to test iOS app data storage in the DVIA-2 application.

7

25

Patrick Wardle Retweeted

I am so excited: today was published the #WWDC23 code-along session where I am talking about the integration of #SwiftData with #SwiftUI! Check it out: developer.apple.com/videos/play/ww 🤩

developer.apple.com

Build an app with SwiftData - WWDC23 - Videos - Apple Developer

Discover how SwiftData can help you persist data in your app. Code along with us as we bring SwiftData to a multi-platform SwiftUI app...

5

23

177

Patrick Wardle Retweeted

Davide Italiano

Today at WWDC we introduced a new static linker. It is a ground-up rewrite that’s up to 5x faster than ld64. The new linker is written with multicore in mind, and it’s the first production ready parallel linker officially supported for iOS development. (1/n)

22

344

1,725

Show this thread

Enjoyed reading about

latest macOS bugs! ...though seems Apple still struggles to effectively patch issues, often (inadvertently) introducing more bugs via the "patch" 🤦🏻‍♂️

Quote Tweet

New blog post here: CVE-2022-32902: Patch One Issue and Introduce Two jhftss.github.io/CVE-2022-32902

1

11

42

Patrick Wardle Retweeted

New blog post here: CVE-2022-32902: Patch One Issue and Introduce Two jhftss.github.io/CVE-2022-32902

4

45

129

Patrick Wardle Retweeted

I don't talk about Darwin, no, no, no...

@Morpheus______

In other news, my attempt at a universal decompressor - a.k.a imjtool (nightly build for Darwin) now supports img4 and BVX2 (in addition to zip, lz4, pbzx, yaa, bz2, gzip and much more) so you can decomp the kernelcache and new SPTM from the ios17 IPSW newandroidbook.com/tools/imjtool.

1

13

74

Thoroughly enjoyed

's writeup of their latest SIP bypass (CVE-2023-32369) "New macOS vulnerability, Migraine, could bypass System Integrity Protection": microsoft.com/en-us/security Also neat to learn about their internal researcher tools, inspired by some of my own! 🥰

1

8

52

Patrick Wardle Retweeted

DCG 201 :: defcon201

TOMORROW @ 12:30 PM EST, join #DCG201 Sidepocket with #InfoSec hackers (

@gergely_kalman

,

& more) as we react & critique the tech showcased at #Apple #WWDC23 LIVE! Watch on #Twitter, #Twitch, #YouTube, #Odysee, #PeerTube &

: linktr.ee/defcon201

3

4

14

Show this thread

Patrick Wardle Retweeted

I'd like to share some insights about a new feature on macOS Ventura called XProtectBehaviorService that Apple recently added. Even though it's experimental, it's worth discussing.

1

30

99

Show this thread

Patrick Wardle Retweeted

Ivan Kwiatkowski

Kaspersky released a new blogpost today, documenting an iOS 0day + zero-click exploit used to target cybersecurity researchers. The scope and full victimology are still unknown.

Operation Triangulation: iOS devices targeted with previously unknown malware

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices...

10

268

691

Show this thread

Patrick Wardle Retweeted

On top of the last one... the

conference youtube is such a gem to learn macOS and iOS reversing, tooling, testing, and defense techniques! youtube.com/@objectivebyth 🧵 3/x

1

9

30

Show this thread

Patrick Wardle Retweeted

Brendan Chamberlain

Replying to

@cyberGoatPsyOps

The CLI tools from

are great too.

objective-see.org

Commandline Utilities

CLI utilities to facilate system monitoring and malware analysis.

2

7

17

Patrick Wardle Retweeted

@OSINT_Research

For #OSINT Macos users, I can recommend to also check out

's other tools. TY 🙏

Quote Tweet

Objective-See Foundation

Replying to @OSINT_Tactical @OSINT_Research and @Sector035

Yes, there is functional overlap. OverSight precedes macOS' mic/cam protection, and also supports additional features (e.g., run a custom script when activity detected). Also has been able to detect bypasses of Apple's mic/cam protections: twitter.com/patrickwardle/

3

5

If you're stoked on free, open-source, macOS security tools & research, you can support my efforts via

: patreon.com/objective_see 😇

Patrick Wardle | Creating Mac Security Tools | Patreon

2

7

20

Show this thread

And just released v2.1.0 of "What's Your Sign" (WYS) which now can tell you if a .pkg is notarized 🔐👀 WYS adds a menu item to Finder. So once installed, you can simply right-/control-click on any file to display its cryptographic signing information. objective-see.org/products/whats

1

4

22

Show this thread

📦 macOS's pkgutil now checks the notarization of .pkgs 🔬 Reversing shows this is done via the undocumented SecAssessmentTicketLookup 👨🏻‍💻 I've (re)implemented this in "What's Your Sign": github.com/objective-see/ ...so, if you want to programmatically verify .pkgs, have a peek!

3

24

136

Show this thread

Patrick Wardle Retweeted

This is another sample of #Lazarus #APT part of this campaign: twitter.com/ESETresearch/s It is a malicious PDF reader for #macOS 3f6566477e496c573e4e90acd15f242980cfdf5f27903a0eac287b05380b7132 Spirit Blockchain Capital 2023 - Pitch Deck\.zip

Quote Tweet

#ESETResearch warns about a CPIO archive named “Jump Crypto Investment Agreement.zip” uploaded to VirusTotal from the USA

. It is another malicious PDF viewer distributed by #Lazarus #APT for #macOS twitter.com/jbradley89/sta @pkalnai @michalmalik 1/7

Show this thread

6

36

65

Show this thread

Patrick Wardle Retweeted

Registration is now open for #VB2023 London, with some great deals for early bird bookings! The programme includes a mix of engaging and broad-ranging papers, featuring experts in the field from all around the world - check it out and register at virusbulletin.com/conference/vb2

1

10

18

Will update the server-side JSON shortly to trigger the update prompt client-side. (Always prefer to delay this a bit, to ensure I didn't break anything 😅)

1

7

Show this thread

If you want to support my tools, books, the #OBTS conference, and much more, join me on

!!

Patrick Wardle | Creating Mac Security Tools | Patreon

2

11

Show this thread

Mahalo to all my patrons for supporting my efforts to create free, open-source security tools for macOS! 🙏🏽 Today, just published LuLu v2.5: 🙈 Bug fixes 📡 Option to allow DNS traffic (#481) 📴 Option to disable crash reporting (#488, #531) Read more: patreon.com/posts/lulu-v2-

4

31

129

Show this thread

Patrick Wardle Retweeted

Howard Oakley, Eclectic Light Co

Crashes, panics, freezes and other unexpected events eclecticlight.co/2023/05/24/cra via

eclecticlight.co

Crashes, panics, freezes and other unexpected events

Using the correct term gets us half way to a diagnosis: kernel panics, freezes, app crashes and unresponsive apps are distinguished here.

4

13

Patrick Wardle Retweeted

🔺New on the Apple Security Research blog: we pit our hardened kalloc_type XNU allocator against SockPuppet, a powerful vulnerability from the past:

security.apple.com

Blog - What if we had the SockPuppet vulnerability in iOS 16? - Apple Security Research

The next post in our XNU memory safety series examines how our hardened kernel allocator performs in the real world against a previously patched but powerful UAF software vulnerability. In this...

2

92

243

Patrick Wardle Retweeted

It's that time of the week again!!

Quote Tweet

A now routine task for a Tuesday, pinging Apple until they reply. (Context: Bug disclosed and fixed by Apple, promised credit on multiple occasions.. nothing for 12 months+)

3

14

55

Patrick Wardle Retweeted

Oh look. It's Zoom playing Repression's Little Helper in China. cyberscoop.com/zoom-china-doj

1

36

86

Patrick Wardle Retweeted

@ClassicII_MrMac

Apple has released the details of the macOS Ventura 13.3.1 (a) RSR update.🔐

Quote Tweet

@ClassicII_MrMac

Apple has not shared the security content of the latest iOS & macOS Rapid Security Response Updates. IMO update details should be shared for any Mac or iOS update that requires a restart.

If you agree, please file feedback with Apple.

twitter.com/ClassicII_MrMa…

8

51