With 91% of enterprises now using Mac computers, Mac devices have become a growing target for cyberattacks. Successful attacks like KeRanger, XAgent, MacOSDynamic, Linker Exploitation and the IoS Trifecta have shown that Mac endpoints, which were once believed to have been impervious to threats, are now vulnerable to various types of malware and exploits.
Common Mac Threats and Trends
The Palo Alto Networks Unit 42 threat intelligence team has observed a steady increase in the volume of macOS based threats. Through their research, they have identified four main categories for these threats:
- Potentially unwanted and malicious programs (PUPs)
- Trojans and backdoors such as OSX/Dok or Kumar in the Mac (KitM), also known as HackBack,
- Targeted threats like OceanLotus, Sofacy X-Agent, or MacDownloader
- And, hacking tools such as PowershellEmpireOSX
One of the most commonly seen infection mechanisms for Mac endpoints has been phishing and social engineering emails. These emails contain ZIP files that trick the user into installing fake applications that appear to have been signed by valid Apple Developer IDs. Other infection techniques include fake antivirus software and Python-based malware attacks.
Securing Macs from Modern Threats
One proposed solution to defend against these threats has been to use the built-in macOS security feature, Gatekeeper. Gatekeeper checks, before an application can run, that each application downloaded has been validated as safe or has been published by a preapproved developer. But this approach has been shown to have weaknesses and logical vulnerabilities that can be exploited as Gatekeeper only checks the applications digital signature immediately after execution, allowing attackers to execute additional processes.
Another proposed solution has been to employ 3rd party antivirus products. However, the known challenges and weaknesses associated with protecting Windows endpoints with antivirus are also true for protecting Mac endpoints – a reliance on one-to-one signature matches, continuous updates, limitation to only detecting known threats and the inability to detect zero-day threats.
Threats come from multiple sources in a variety of forms, and endpoint protection should utilize multiple methods to ensure maximum prevention. Known malware needs to be recognized and prevented instantaneously; malware that hasn’t been seen before needs to quickly be identified as malicious and blocked in real-time before it can infect a system; and the existing built-in prevention capabilities of Mac devices and Gatekeeper need to be enhanced by only allowing processes to be executed based on their verified signature levels.
Attackers use exploits to take advantage of vulnerabilities in systems; often, these are vulnerabilities that have not yet been discovered or patched. These exploits, though constantly increasing in numbers and variations, generally utilize the same set of known techniques. These include memory corruption, logic flaws and privilege escalation. Focusing prevention methods on these core techniques alleviates the need for urgent immediate patching and reduces the threat of zero-day exploits.
Placing multiple layers of protection at all critical phases of the attack lifecycle can stop both malware and exploit based attacks. This approach works most effectively if built on top of a platform that integrates threat intelligence and delivers protections across incongruent silos, can effectively protect Mac endpoints from malware and exploits.