Current trends involving Mac threats indicate that while attempts are on the rise, itusers remain the first line of defense — particularly as “show up when you want to” (SUWYWT) becomes the future of work.
The security risk remains
In the first few weeks of the pandemic we saw multiple businesses invest in VPN software and new hardware as they equipped employees to work from home. In the UK, for example, Starling Bank claimed it purchased every available MacBook as the pandemic struck.
Now WFH is normalized there’s a need to take stock of security concerns and remind employees of good security procedure on all platforms, including Macs. Apple’s platform seems to have enjoyed incredibly strong sales as companies upgraded for WFH, but despite its inherent security those Mas must also be protected.
The Mac is not invulnerable, and the frequency of attacks against it is growing, according to Thomas Reed, director of Mac & Mobile at Malwarebytes who spoke at an industry event last week.
Reed told us that Mac detections per machine were now almost twice as high as for Windows. “Mac detections for 2019 were about four times higher than 2018,” he said.
There’s lots of reasons for this, of course, not least that the installed user base of Macs is growing. The other motivation is that the quality and value of the data on those Macs is higher, reflecting the wealthier user base. Numerous banks have consolidated around the Mac, which makes them a tempting target.
Money – or the hope of it – motivates malware makers to get a Mac payload installed.
What’s happening now
Around 84% of the total examples of Mac malware are simply Potentially Unwanted Programs and adware, Reed says. Just 0.3% of identified malware on the Mac is truly threatening stuff. “It’s not a large slice of the pie, but it’s still something to be wary of,” he said.
Most of the malware currently impacting Macs relies on user error for installation, while the vast majority of the attacks are adware, rather than something more sinister.
So, how are these attacks presenting themselves?
- ThiefQuest: Download via torrent file-sharing sites using modified copies of legitimate apps made available on those sites. These modified applications work, but also install malware. ThiefQuest presents itself as ransomware, but is in fact exfiltrating vast amounts of data from the Mac.
- BirdMiner: A cryptominer distributed via pirate versions of audio apps. It installs a virtual machine called Qemu which runs a Linux-based crypto miner on the Mac.
- Lazarus: North Korea’s Lazarus group is actively developing Mac malware. Malwarebytes mentions three, Fallchil, DaclsRAT and GMERA, which create backdoors into affected systems are mainly distributed as legitimate apps that have been subverted, open source apps or malicious Word documents.
Put your users firsst
What all three of these share is that they seek to install themselves on Macs by tricking users into installing something they think they can trust. (Some may recall the recent subverted Xcode exploit that also did this).
For enterprise security chiefs, all three exploits should justify developing security policy to forbid installation of software (or other items, including movies and music) from sources outside of reputable App Stores, such as Apple’s own.
Merely because you’re working from home doesn’t mean you should install software sourced from torrents or cracked software sites on a work-critical machine.
Adware distributes itself in many different ways, including subverted copies of Safari that stealthily change settings, malicious profiles to force users to ads-peppered pages, even man in the middle attempts to intercept network data and inject ads.
“We see a lot of data collection in adware,” Reed said. These attempts collect data such as unique computer identifiers, IP addresses, user names, macOS version, contents of the Applications folder and more, including things such as the version number of the Apple-installed Malware Removal Tool.
While this can be considered a nuisance, “It can lead to other issues down the line,” said Reed.
(How much easier is it to craft a successful phishing attack if the attacker can tailor the attempt to a user’s interests and activity as evidenced by the content of their Applications folder and usernames?)
So, what can you do?
Apple continues working to improve security across all its platforms.
The decision to offer Mac apps via a secured app store, the T2 security chip and its many decades in which serious exploits on its platforms have been a rarity, rather than the norm, all testify to this. Apple’s recent decision to kick out kexts is yet another improvement.
For the present, the truth remains that most successful Mac exploits will be installed only by the consent of the user.
This is why IT must provide security advice that is actually followed, as this remains the best deterrent. Mandatory use of malware scanners and VPN can also improve permitter defense, (As does securing any the router).
Most enterprise deployments now use MDM to help protect endpoints and to provide additional protection around user, application and cloud services-based corporate data security.
In future, we’ll see more use of security-based telemetry and data analytics systems that analyze network traffic and the log files of enterprise machines for anomalies that suggest security problems. This will make it easier for IT to identify Macs that may also have been exposed to attempted attack.
But, for the present, at least, there’s no replacement for good security-first practises such as:
- Never clicking on a link in an email you don’t recognize.
- Never open Word documents or other files from unfamiliar sources.
- Don’t instal software from any source other than an approved App Store, because if it’s too good to be true, it probably is.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2020 IDG Communications, Inc.
