Apple Remote Desktop Hacked?

[LuxPro]

I’ve used Apple Remote Desktop heavily for business and personal uses for the last couple of years.  I've always kept the remote management icon (binoculars) in my menu bar on my systems and a couple days ago it changed to the "active monitoring" icon when I did not initiate it from another machine…  

A little background on the setup:  I have an iMac and a MacBook Pro on my home network, both with ARD.  They can manage each other or VPN to my workplace and manage five Mac Pro systems there.  I also have ARD on one Mac Pro at work, that one can manage the other systems at work but cannot tap into my home network.  

Shortly after 5PM, I had logged into the iMac at home for the first time that day.  It had been running but just on the lock screen up to this point.  I was using Quicktime Player to screen record a workflow to send someone.  I did this a few times until I was satisfied with the recording and proceeded to export it.  Moments later, around 5:45, I saw the icon change.  I wasn’t sure how that would be possible, but clicked the icon to “message the administrator” to which it returned an error to the effect of the administrator being unavailable.  I quickly went to my sharing settings to disable remote management.  It returned a prompt that said this would end a screen sharing session in-progress.  I proceeded and the checkmark became greyed out for about a minute or so before actually disabling.  I then unplugged the ethernet cable, saved console logs, and shut down.  

I’m hoping someone may be able to offer clarity about what happened here.  It seems far fetched to me that someone would gain access to my network and system passwords or be able to hack my ARD.  I’m also wondering if the Quicktime screen recording may have triggered some similar process to screen sharing.  The only other variable I can think of was that the MacBook Pro, which was in sleep mode at the time, did have the ARD app open before going to sleep (but wasn't managing the iMac at the time).  Not sure if it may have been running some process automatically that may have triggered this incident.  Here is all the relevant info I could find in console within that timeframe:

iMac (system.log)

Aug 23 17:30:45 iMac-5K com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
Aug 23 17:31:15 --- last message repeated 1 time ---
Aug 23 17:40:26 iMac-5K syslogd[41]: ASL Sender Statistics
Aug 23 17:44:36 iMac-5K com.apple.xpc.launchd[1] (com.apple.screensharing[70860]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.screensharing.server
Aug 23 17:44:36 iMac-5K com.apple.xpc.launchd[1] (com.apple.ReportCrash[70863]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash
Aug 23 17:44:37 iMac-5K com.apple.xpc.launchd[1] (com.apple.ReportCrash.Root[70864]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash.DirectoryService
Aug 23 17:47:24 iMac-5K com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
Aug 23 17:47:45 --- last message repeated 1 time ---
Aug 23 17:47:45 iMac-5K com.apple.xpc.launchd[1] (com.apple.quicklook[70926]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
Aug 23 17:49:12 iMac-5K com.apple.xpc.launchd[1] (com.apple.Kerberos.kdc[116]): Service exited due to signal: Killed: 9 sent by launchd[1]

iMac Diagnostic Messages (2018.08.23.asl)

17:44:36.822893 -0700    screensharingd    com.apple.message.domain: com.apple.screensharing.logViewerVersion
com.apple.message.viewerversion: 3.889
SenderMachUUID: I removed it but there is an unidentified UUID here ending in 596A

17:44:36.978985 -0700    spindump    com.apple.message.domain: com.apple.telemetry.memory_hwm.event
com.apple.message.signature: ScreensharingAgent
com.apple.message.result: com.apple.screensharing.agent
com.apple.message.summarize: YES
SenderMachUUID: I removed it but there is an unidentified UUID here ending in DDD2

17:48:29.382106 -0700    screensharingd    com.apple.message.domain: com.apple.screensharing.logSessionAccelerated
com.apple.message.acceleratedsession: 1
com.apple.message.summarize: YES
SenderMachUUID: I removed it but there is an unidentified UUID here ending in 596A

17:53:39.284270 -0700    Remote Desktop    com.apple.message.domain: com.apple.remotedesktop.scannerType
com.apple.message.signature: Network Range
com.apple.message.summarize: YES
SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9

MacBook Pro Diagnostic Messages

17:44:39.233587 -0700    Remote Desktop    com.apple.message.domain: com.apple.screensharing.connectionStarted
com.apple.message.netaddresstype: IPV4
SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9

17:44:39.233708 -0700    Remote Desktop    com.apple.message.domain: com.apple.screensharing.addressResolutionEnded
com.apple.message.addressresolutionfailurereason: kResolverStatusParsingSucceeded
com.apple.message.result: pass
SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9

MacBook Pro (system.log)

Aug 23 16:43:45 MacBook-Pro syslogd[35]: ASL Sender Statistics
Aug 23 17:44:32 MacBook-Pro syslogd[35]: ASL Sender Statistics
Aug 23 17:54:32 MacBook-Pro syslogd[35]: ASL Sender Statistics
Aug 23 17:57:16 MacBook-Pro com.apple.xpc.launchd[1] (com.apple.quicklook[10002]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook

I’ll admit I’m not fluent in Console language and this all may be nothing.  I don’t know the significance of the UUID numbers it’s showing, they aren’t my machines.  But I do find that the icon changing to “active monitoring,” in addition to the screen sharing messages in these logs, to be concerning since I did not initiate any such sessions.  Coincidentally, I was running the MalwareBytes realtime protection trial on both machines.  Nothing came up from MalwareBytes and they both scan clean.  What steps do I take next?  I’m happy to answer any questions you may have to get to the bottom of this.  Thanks for any assistance!

[alvarnell]

Your only course of action now is to report this to law enforcement and hope that they have access to a forensically trained technician with Mac experience. I have a relative who trains such people throughout the US, so I know they exist.

Edited August 26, 2018 by alvarnell

[treed]

It's impossible to say much from short log excerpts, especially since I don't see entries like that when I do screen sharing from one machine to another here. It sounds like you are remotely connecting to machines on a different network, which may be the difference.

One thing you can do... see those SenderMachUUID entries that you have edited? Get those UUIDs, then compare them with the hardware UUIDs for your Macs. Do they match any of them?

You can find the hardware UUID by opening the System Information app, found in the Utilities folder in the Applications folder. The hardware UUID should be in the Hardware Overview info that is displayed on the first screen by default.

If those match your Macs, that doesn't really tell you much, because I don't know if that's supposed to be the UUID of the server (the machine being connected to) or the client. However, if it doesn't match the UUID of any of your Macs, that's probably troubling. In that case, someone may have been able to remotely connect to your Macs.

[LuxPro]

2 hours ago, treed said:

It's impossible to say much from short log excerpts, especially since I don't see entries like that when I do screen sharing from one machine to another here. It sounds like you are remotely connecting to machines on a different network, which may be the difference.

One thing you can do... see those SenderMachUUID entries that you have edited? Get those UUIDs, then compare them with the hardware UUIDs for your Macs. Do they match any of them?

You can find the hardware UUID by opening the System Information app, found in the Utilities folder in the Applications folder. The hardware UUID should be in the Hardware Overview info that is displayed on the first screen by default.

If those match your Macs, that doesn't really tell you much, because I don't know if that's supposed to be the UUID of the server (the machine being connected to) or the client. However, if it doesn't match the UUID of any of your Macs, that's probably troubling. In that case, someone may have been able to remotely connect to your Macs.

Thanks so much for the reply, Thomas.  I do use these machines to connect to a different network, but this incident occurred only on my local network (that I know of).  Would you be able to determine more from the full log?  Is there generally any information in the system.log that I should be wary about sending out for analysis?  

There are at least three different SenderMachUUIDs and none of them match the hardware UUID of my systems...  But I'm not entirely clear on the significance of those as looking at the diagnostic logs it seems like every process reports a different UUID - even for things like Spotlight, AddressBook, Adobe, etc.  

[treed]

If you're seeing SenderMachUUID on other log entries unrelated to screen sharing, then that's a red herring. I don't see that here, but don't actually use the ARD app for screen sharing, so thought maybe it was related to that. I guess not.

Trying to read log files can be an exercise in futility if you don't know exactly what you're looking at, as this exercise proves. I would not recommend trying to extract any meaning from the logs without the right training.

You mentioned that the incident happened on your local network, but is the machine in question open to the outside world so that you can connect to it remotely? Or is it only accessible within your local network?

[LuxPro]

I see what you mean about the logs.  Was hoping someone here might have the right training to understand them.  The machines should not have been open to the outside world.  I did not set up port forwarding to access them from outside the local network, only from within.  So it seems to me they would have had to hack my local wifi, in addition to the machine's password, in order to pull this off.  It seems, if true, that it would have been a sophisticated and targeted attack.  This would be worrisome.  So I'm trying to figure out if it could have been some bug with ARD or something else, but it's tough to find any real answers without understanding the logs.  

[treed]

Ahh, if there's been no port forwarding, and no Back to my Mac, then it's far more likely that this was some kind of a glitch. Especially if your wifi is well secured, using good encryption (not WEP) and a strong password. As you say, the only way those machines could be accessed would be by someone on your wifi network. (The call came from inside the house!!! )

That's pretty unlikely on a well-secured network... but if the security of your wifi isn't up to snuff, and if you have neighbors within range, then you'll want to remedy that right away.