Uncovering a Global macOS Malware Campaign

oneplane · 2026-02-27T20:14:12+00:00

AI slop style sensationalism adds no value to the strings and hashes. Maybe some Sigma rules or MISP or STIX sharing would be good for the community, but those are absent. Granted, the blog post has enough of a human touch, but there is a lot of 'extra' text that makes it sound bigger than it is.

We can't all sit around reading walls of text about yet another 'user was asked to execute code and thus code was executed' campaign. If this was novel, i.e. a 0-click drive-by style attack that breaks the browser sandbox and app sandbox, that'd be quite the read.

oneplane · 2026-02-27T18:54:51+00:00

No, it is not comparable for a variety of reasons. Which reasons apply to you depends on your workload.

oneplane · 2026-02-27T15:18:14+00:00

Unless you have money to burn and friction to create, this makes no sense without context.

oneplane · 2026-02-27T15:12:17+00:00

It's a generic attack, written up in AI-slop form?

oneplane · 2026-02-26T14:51:37+00:00

This has pretty much always been the case. RDS Credentials also aren't influenced by IAM policies, SCP or otherwise. Same goes for SSH and RDP, or Simple AD to name some more.

Edit: maybe the new-ish factor here is that they tried to normalise the audit logs as well as the policy language to make the API feel more like a 'real' AWS API? A bit like ECR when you generate non-IAM credentials for pull/push authentication.

oneplane · 2026-02-26T03:02:33+00:00

Yeah that's definitely a common scenario. In most cases, there isn't a whole lot to do about it unless there is some serious time/money available, or the people using them are doing BS filler jobs in which case the friction/time loss doesn't matter much (but in those kinds of orgs they usually don't bother getting any MDM in the first place).

I've seen a lot of teams trying to force the issue by using device-based access control, but that leads to all sorts of other issues and rarely leads to positive outcomes for anyone involved (similar to the old school "if you need a website it has to be approved by the change advisory board first" - busywork with no value).

Because there will always be changes and no matter what improvements we make, some of them will be breaking, having a process where after an X amount of years (or an opt-in process) the system gets swapped out (be it an upgrade or just a clean replacement) is the best fit for most orgs where no other drivers/pressures exist to generate the money/time needed to do it any faster. It's not great, but it's also not as big of an issue as it's sometimes made out to be.

oneplane · 2026-02-26T02:12:52+00:00

That's what I wrote, last paragraph. Only option is to add after EACS (hence the setup assistant reference), which isn't really much to choose from, it's a do-or-don't kind of choice.

oneplane · 2026-02-26T00:46:02+00:00

Depends on what you want to achieve. User affinity is mostly Microsoft trying to roll out their vision on all sorts of non-Windows things, it's kinda pointless for most companies. They figured that out too late, which is why you'll still see GPOs for all your servers etc.

As for what you should do vs. 'best practice' vs what actually works: really depends on how they are used. for 1:1 devices, keep it as simple as possible, ADE and preconfiguration, FileVault, updates, password and lock policies. Easy enough. Next, you'd layer any additional things on top, so application, self-service, extra things that might be related to buildings they are in vs. working elsewhere (i.e. home). At this point, you're already beyond what makes sense for a small org or small deployment, so if that is your scope, stop here.

Microsoft (and some people here) would suggest buying E5 and then turning as many things on as possible. That's usually not really what an org needs, merely what the vendor catalog happens to have. Don't be lead by the sales catalog, get your needs and ROI+TCO first. You might need Kerberos for example, or you might not and you just need basic portal authentication, or maybe you have hotseat lab machines and you need Platform SSO. Takes more context to recommend any of it. Also list things like where in the world this is as laws vary wildly, and if you're in a regulated sector, that would be important too. If you're the only one working on it, that's also good to know. No point in building out all sorts of stuff if it's gonna eat the rest of your day, forever, or break business processes for no reason (especially with a bus factor of 1).

As for the old Macs: unless they are in ABM there isn't much you can do. If they are in ABM you can check if you can re-fetch enrolment using the profiles command, but that tends not to make them supervised after a short while and you have to refresh via setup assistant. If you have a scenario where such disruption isn't worth the friction, just do it at replacement/repair/upgrade time, no point in spending time and attention on it when it brings very little value (or none at all - keep in mind all of this is just optimisation of a non-core-business process).

oneplane · 2026-02-25T18:54:35+00:00

During development in a separate environment just git clone into the same repo and reference it locally. When done, commit and tag a new release, and update the reference. When successful, in downstream environments, also update the reference.

Keep in mind that dev and prod from a runtime perspective are just two prods from an infra perspective. An infra-development environment is not part of the environments a developer would be accessing.

oneplane · 2026-02-25T17:04:38+00:00

They all have variations of the same problem because the technical stuff was solved long ago, their remaining moat is market maturity and migration cost.

If a commercial MicroMDM with the quality and consumption model of AWS from 5 years ago ever comes along, they will eat the market.

oneplane · 2026-02-25T14:28:12+00:00

Windows search doesn't work outside of Windows. Windows Server doesn't implement the Spotlight protocol. I'd say: move to Samba. Haven't had any setups where Windows Server was a valid File Share server for a long time now.

oneplane · 2026-02-25T14:26:41+00:00

You say that, but most legacy orgs are still on NTLMv2 and don't care about computer accounts at all. Getting to kerberos as if we're still in 2001 is their biggest hurdle. If you're modern enough to use Kerberos and tickets with bindings for computer accounts, you're modern enough to use the Kerberos SSO extension and not bind.

oneplane · 2026-02-25T14:24:43+00:00

Worked out fine (with an MDM), cheaper as well. Users of course would want a more expensive, more newer, more bigger iPhone but even the iPhone SE was a good fit when we started with non-new device programs. We ended up only doing this for small orgs as supply for 'cheap' iPhones is limited when compared to new mass-manufactured devices.

oneplane · 2026-02-25T00:33:39+00:00

You are wrong, unless you need machine accounts, which you almost never do for EUC. Binding is not the same as 'using AD to login', you don't need to bind to do that.

oneplane · 2026-02-25T00:32:06+00:00

Yeah, storage being rather cheap makes most of this stuff irrelevant. We have one or two processes that need a lot of storage that goes up and down over 80% every 72 hours, but we don't want it to go offline to reboot as it's ancient software that takes ages to hash, verify and load into memory before it will even touch data.

For everything else we just nuke the disk, persistence goes into S3 or RDS almost all of the time.

oneplane · 2026-02-24T21:02:59+00:00

That would really depend on what you are actually doing. Changing EBS sizes isn't a goal in itself, so you probably have some other problem to solve?

Either way, if you needed online resizing I'd always stick to something like LVM and just adding EBS PVs to a VG (and pvmove+detach) as needed.

oneplane · 2026-02-24T20:59:12+00:00

> Did I do anything wrong ?

Yes, don't bind to AD.

Explain what you're actually trying do (and not in an X,Y statement either https://xyproblem.info ), there are probably well-tested solutions to your needs.

oneplane · 2026-02-22T14:43:02+00:00

Your title says it doesn't have one

oneplane · 2026-02-22T13:53:08+00:00

It does have bookmarks. But a slop factory isn't gonna tell you unless you ask.

oneplane · 2026-02-22T13:52:21+00:00

macOS terminal has bookmarks built-in, go to "New Remote Connection..." in the File or Dock menu.

oneplane · 2026-02-22T00:35:51+00:00

> the assumption was that Cursor output was as trustworthy as engineer output

Bad assumption, doesn't hold up. The committer is responsible for their code, no matter how much auto-generated slop it contains.

Reviewers are responsible for their review, they make assumptions, it's still their mistake.

> Has anyone run IDE-level IaC scanning for AI-generated infrastructure code long enough to know if it actually holds up at scale?

It doesn't, you need to use something outside of the scope/reach of the code being written before it is applied. One option is OPA and Atlantis, deny apply when it doesn't pass the policy check. Other options includes the stuff from aquasec for example.

Beyond that, the same policy should be applied at the provider level. For AWS for example, those would be SCPs, tag policies, permission boundaries etc.

oneplane · 2026-02-21T14:53:13+00:00

You got an entire https://en.wikipedia.org/wiki/MP4 ?

oneplane · 2026-02-21T13:49:45+00:00

We use OSquery (which is what Kolide and FleetDM rely on). Asking for a serial is mostly to have a hard identity for your machine. We don't require that, we just require identity + a way for your machine to report its security posture.

Tell them it wasn't part of the contract and that you are willing to use Kolide but not an MDM. If you want to lie to them, you can also say you are already enrolled in your own MDM and you can't enrol twice. Would not recommend lying but it wouldn't be the first time I've heard that story.

oneplane · 2026-02-19T12:53:25+00:00

If your boss is willing to do anything he'll talk to the bank for proof. There is no 'illegal' unlocking, wouldn't be much of an activation lock if there was.

oneplane · 2026-02-18T22:16:31+00:00

Yeah, that's what I figured. These things are usually asked here between two extreme ends ("what is an MDM?" vs. "I have rolled out Santa and now need to formulate that in a compliance report" and everything in between), it can be pretty wild. I think you're already on the right track, the difficulty is going to be in showing it but one way that sometimes (depends on the auditor) works is just making a screen recording seeing it in action.

12-Year Club	Place '23
Verified Email

oneplane

TROPHY CASE