1/31/2024 0 Comments Jamf pro server![]() Among our results, we identified a suspicious AppleScript file titled main.scpt contained within an unsigned application named Internal PDF Viewer.app. The stage-one malware (0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be) was discovered while performing normal hunting routines for compiled AppleScript applications that contained various suspicious commands. These similarities include malicious tooling on macOS that closely aligns with the workflow and social engineering patterns of those employed in the campaign. This attribution is due to the similarities noted in a Kaspersky blog entry documenting an attack on the Windows side. The APT group called BlueNoroff is thought to act as a sub-group to the well-known Lazarus Group and is believed to be behind this attack. We track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor. ![]() Massive thanks to gabe2385 and junjishimazaki for their assistance.Jamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. ![]() If your company does not use logins verify that any login keys are removed). Verify Keychain Access keys are correct (publickey, privatekey, and login if used. Verify that the jss_url is correct in /Library/Preferences/ so it gave an unable to connect to MDM server error as a result. Further attempts to open Self Service were relying on those credentials and those were being denied by the server. Removing the login password from Keychain Access resolved the issue.įrom what I can tell, it seems someone tried to log into Self Service, and saved credentials which don't actually work there. We don't use the user logins on Self Service (it has been enabled for techs, but not for standard users and isn't built out enough for regular use). It is Keychain Access, but it's not the private or public key the user had a password enrolled for automatic login to Self Service. This information allowed us to further troubleshoot and we were able to find the issue! If anyone has any idea what this could be I'm open to further troubleshooting. Self Service appears to be the only thing affected. The Mac still has access to jamf controls via terminal, still receiving profiles and policies, still reporting in all information to the server. Issue is present both on and off VPN (so that is irrelevant).Ĭurrently this is only affecting the one machine but as I don't have a fix there's trouble if it spreads. I did find the list of ports, but we aren't seeing any blocked ports (on machine, router, or via ISP). also tested:Ĭomputer restart, trying from an IT account (removes any variables from the users startup items), refreshing the MDM, clean uninstall and reinstall of the JAMF Framework. There's a similar error "connecting to jamf server" which can be resolved by simply uninstalling and allowing JAMF to reinstall Self Service. We've been using JAMF for a few years mostly without issue - this is the first time we're seeing this error. The last post I can find relating to this is from 2017 There isn't a solution there and I've tried almost everything previously listed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |