Threat Bulletin

Blackwell Helix Threat Bulletin: Rootkit Installation due to macOS Vulnerability CVE-2024-44243

By: Helix Threat Team
January 15, 2025
threatbulletinheader

Key Alert:

A newly discovered macOS vulnerability, CVE-2024-44243, allows adversaries to bypass System Integrity Protection (SIP) through malicious kernel extensions, potentially leading to rootkit installations and full system compromise.

Threat Overview:

  • Targeted Component: System Integrity Protection (SIP) mechanism on macOS, specifically targeting file system protection via kernel extensions (kext).
  • Proof-of-Concept (PoC): Microsoft researchers demonstrated that unsigned kernel extensions could exploit this vulnerability to bypass SIP and execute privileged operations.
  • Exploitation in the Wild: Evidence suggests limited but targeted use by advanced persistent threat (APT) groups, with activity focused on espionage and data exfiltration.

Healthcare Impacts:

  • Unauthorized Data Access: Exploitation of this vulnerability can provide attackers unrestricted access to electronic health records (EHRs) and other sensitive data stored on macOS devices.
  • Operational Integrity: Attackers leveraging this vulnerability could install rootkits that impact the functionality of medical devices or clinical systems dependent on macOS platforms, potentially disrupting patient care workflows.
  • Incident Response Complexity: Rootkits installed through this exploit can evade standard detection methods, complicating forensic analysis and remediation efforts in healthcare environments.

Exploitation Method:

Attackers exploit CVE-2024-44243 by loading unsigned or malicious kernel extensions to bypass SIP, granting them full control over macOS systems. This method enables the installation of rootkits and other stealthy malware.

Affected Products and Versions:

  • macOS versions preceding Sequoia 15.2

Indicators of Compromise (IoCs):

  • File System Anomalies: Unexpected modifications or the presence of unsigned kernel extensions in /System/Library/Extensions or /Library/Extensions directories.
  • System Logs: Logs indicating attempts to bypass SIP or load unsigned kernel extensions.
  • Abnormal System Behavior: Unexpected kernel panics, crashes, or performance degradation linked to unauthorized kernel activity.

MITRE Tactics, Techniques, and Procedures (TTPs):

TacticsTechniques
Initial AccessT1203 (Exploitation for Client Execution)
ExecutionT1218.005 (Execution through Kernel Extensions)
PersistenceT1547.006 (Boot or Logon Autostart Execution)
Credential AccessT1552.001 (Credentials in Files)
Command and ControlT1071.001 (Web Protocols)

Recommendations for Healthcare Organizations:

Immediate Actions:

  • Audit kernel extensions across macOS systems and remove unsigned or unexpected entries.
  • Enforce strict application control policies to prevent unauthorized installations.
  • Deploy macOS updates immediately

Long-Term Defense:

  • Implement robust file integrity monitoring across critical systems.
  • Educate staff about phishing and spear-phishing attacks that could lead to exploitation.
  • Use Endpoint Detection and Response (EDR) tools to detect rootkit-like behavior and C2 traffic.

Leadership Guidance:

This vulnerability underscores the critical importance of swift patch adoption and continuous proactive monitoring of macOS systems within healthcare environments. In scenarios where patching is not feasible due to operational constraints, healthcare organizations should prioritize strategic investment in advanced endpoint security solutions. These tools must be capable of detecting and mitigating sophisticated rootkit activities, ensuring the integrity and security of critical systems while maintaining uninterrupted operations.

Blackwell Security MHXDR Customers:

For Blackwell MHXDR clients, applying macOS updates to at least Sequoia 15.2 removes the threat associated with CVE-2024-44243. For systems that have not yet been updated, Blackwell Security continuously monitors potential malicious kernel extensions.

References:

Microsoft Uncovers macOS Vulnerability CVE-2024-44243 Allowing Rootkit Installation

Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions

About the security content of macOS Sequoia 15.2

Tags
Healthcare macOS
About the Author
Blackwell Helix Logo
Helix Threat Team
Blackwell’s Helix Threat Team takes a proactive approach to prioritizing the response to signals derived from various sources, including industry threat intelligence (commercial, government & open-source), in-house indicators of compromise born from intense analysis, and security control gaps. By leveraging a two-part methodology—exposure analysis and threat enrichment—Helix delivers contextual insights and automates the identification of hidden vulnerabilities and emerging threats within healthcare environments. This combination of enriched threat signals and comprehensive analysis enables Helix to identify and address risks before they escalate.
More from this author
Back to Resources
Related Resources
View all
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: Rootkit Installation due to macOS Vulnerability CVE-2024-44243
January 15, 2025
January 15, 2025
Read More
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: NonEuclid Remote Access Trojan (RAT)
January 9, 2025
January 9, 2025
Read More
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: Chrome Extension Exploitation
January 7, 2025
January 7, 2025
Read More
Blackewll logo
Blackwell is cybersecurity made for healthcare.

Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.

© 2025 Blackwell Security | Privacy Policy | Sitemap