Current trends involving Mac threats indicate that while attempts are on the rise, users remain the first line of defense — particularly as “show up when you want to” (SUWYWT) becomes the future of work.
The security risk remains
In the first few weeks of the pandemic, we saw multiple businesses invest in VPN software and new hardware as they equipped employees to work from home. In the UK, for example, Starling Bank claimed it purchased every available MacBook as the pandemic struck.
Now that working from home (WFH) is normalized, there’s a need to take stock of security concerns and remind employees of good security procedure on all platforms, including Macs. Apple’s platform seems to have enjoyed incredibly strong sales as companies upgraded for WFH, but even with better inherent security those Macs must also be protected.
The Mac is not invulnerable, and the frequency of attacks against it is growing, according to Thomas Reed, director of Mac & Mobile at Malwarebytes who spoke at the JNUC event last week.
According to Reed, Mac detections per machine are now almost twice as high as for Windows. “Mac detections for 2019 were about four times higher than 2018,” he said.
There’s a lot of reasons for this, of course, not least that the installed user base of Macs is growing. The other motivation is that the quality and value of the data on those Macs is higher, reflecting the wealthier user base. Numerous banks have consolidated around the Mac, which makes them a tempting target.
Money — or the hope of it — motivates malware makers to get a Mac payload installed.
What’s happening now
Around 84% of the total examples of Mac malware are simply Potentially Unwanted Programs and adware, Reed says. Just 0.3% of identified malware on the Mac is truly threatening. “It’s not a large slice of the pie, but it’s still something to be wary of,” he said.
Most of the malware affecting Macs relies on user error for installation, while the vast majority of the attacks are adware rather than something more sinister.
So, how are these attacks presenting themselves?
- ThiefQuest: Downloaded via torrent file-sharing sites using modified copies of legitimate apps made available on those sites. These modified applications work, but also install malware. ThiefQuest presents itself as ransomware, but is in fact exfiltrating vast amounts of data from the Mac.
- BirdMiner: A cryptominer distributed via pirate versions of audio apps. It installs a virtual machine called Qemu, which runs a Linux-based crypto miner on the Mac.
- Lazarus: North Korea’s Lazarus group is actively developing Mac malware. Malwarebytes mentions three, Fallchil, DaclsRAT and GMERA, which create backdoors into affected systems and are mainly distributed as legitimate apps that have been subverted, open source apps or malicious Word documents.
Put your users first
What all three of these share is that they seek to install themselves on Macs by tricking users into installing something they think they can trust. (Some may recall the recent subverted Xcode exploit that also did this.)
For enterprise security chiefs, all three exploits should justify developing security policies to forbid installation of software (or other items, including movies and music) from sources outside of reputable App Stores, such as Apple’s own.
Merely because you’re working from home doesn’t mean you should install software sourced from torrents or cracked software sites on a work-critical machine.
Adware distributes itself in many different ways, including subverted copies of Safari that stealthily change settings, malicious profiles to force users to ad-peppered pages, even man-in-the-middle attempts to intercept network data and inject ads.
“We see a lot of data collection in adware,” Reed said. These attempts collect data such as unique computer identifiers, IP addresses, user names, macOS version, contents of the Applications folder and more, including things such as the version number of the Apple-installed Malware Removal Tool.
While this can be considered a nuisance, “It can lead to other issues down the line,” said Reed.
(How much easier is it to craft a successful phishing attack if the attacker can tailor the attempt to a user’s interests and activity as evidenced by the content of their Applications folder and usernames?)
So, what can you do?
Apple continues working to improve security across all its platforms.
The decision to offer Mac apps via a secured app store, the T2 security chip and the many decades in which serious exploits on its platforms have been a rarity, rather than the norm, all testify to this. Apple’s recent decision to kick out kexts is yet another improvement.
For the present, the truth remains that most successful Mac exploits will be installed only by the consent of the user. This is why IT must provide security advice that is actually followed, as this remains the best deterrent. Mandatory use of malware scanners and VPNs can also improve permitter defense, (as does securing any the router).
Most enterprise deployments now use MDM to help protect endpoints and to provide additional protection around user, application and cloud services-based corporate data security.
In the future, we’ll see more use of security-based telemetry and data analytics systems that analyze network traffic and the log files of enterprise machines for anomalies that suggest security problems. This will make it easier for IT to identify Macs that may also have been exposed to attempted attack.
But for now, at least, there’s no replacement for good security-first practises such as:
- Never clicking on a link in an email you don’t recognize.
- Never open Word documents or other files from unfamiliar sources.
- Don’t instal software from any source other than an approved App Store, because if it’s too good to be true, it probably is.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
