Vulnerabilities / Threats
06:23 PM

Apple OS X Vulnerability: Advanced Persistent Attacks

Macs are even easier to exploit than Windows via advanced persistent threats, warn security researchers.

Black Hat
Building The Mac Office
(click image for larger view)
Slideshow: Building The Mac Office
Many people see Apple OS X as being free from the security challenges facing Windows PCs. But researchers speaking on Wednesday at Black Hat, a UBM TechWeb event, in Las Vegas, said Macs are quite susceptible to advanced persistent threat (APT) attacks, which favor espionage over outright data exploitation.

"A number of our clients have made the decision to switch to Macs based on the fact that these APT technologies don't target them," said Alex Stamos, co-founder and CTO of iSEC Partners. But in fact, he said, while the specific types of attacks may differ, Macs are arguably even more vulnerable to APTs than Windows PCs, since many Mac-specific technologies are quite easy to exploit.

Are attackers actually gunning for Macs? Thankfully, aside from fake AV, such as Mac Defender, the answer is largely no. "There are no crime packs that are popular that target Mac OS X," said Paul Youn, a senior security consultant at iSEC Partners. That's likely because Apple's market share is only about 6%, meaning that if attackers want to compromise a large number of computers at once, they typically target Windows.

Even so, Stamos recommends treating Macs with care, since they're relatively easy to exploit. Notably, he said, there are "pervasive authentication issues" in OS X, and that it's easy to exploit "two of the most widely used protocols for managing Macs," including AFP (aka Apple Filing Protocol), as well as Bonjour, a service delivery protocol Macs use to connect to servers. In particular, it's relatively easy to substitute a malicious server for a fake one and then force users to connect. These vulnerabilities could serve as a foundation for launching APTs against Macs.

Terminology-wise, of course, the APT is a somewhat fuzzy concept. Generally, security experts define an APT as threat involving attackers who can launch multiple exploits, advancing the underlying functionality along the way, all to support espionage efforts. "The advanced part doesn't mean that every attack is advanced, but rather that attackers are willing to upgrade their attack capabilities," said Stamos. "It just means people have the ability to turn the knob up on the advanced scale."

By definition, after gaining a foothold in an organization's network, APTs also persist. On Apple OS X, ways to persist include modifying startup items or the underlying operating system code. In addition, said BJ Orvis, a security researcher and consultant at iSEC Partners, "you could theoretically write a malicious script just using AppleScript, which is fun." Regardless of the technique used, persistence enables attackers to surreptitiously monitor the network and expand the attack over time. For example, they may compromise directory servers to steal and crack large numbers of passwords offline.

What can companies do to mitigate APTs? Regardless of operating system, "I would strongly suggest you log all of your DNS requests across the enterprise," said Stamos. Next, maintain a top 10 list of all dynamic DNS requests. "If you see 40 different machines doing hundreds and hundreds of identical dynamic DNS requests," he said, and it's to an unknown host, then suspect that they're communicating with a botnet command and control network.

Also put policies in place to automatically block unusual, large-scale data egress. That's because attackers, after infiltrating a network, may then wait to copy a large amount of data from the network. One favored technique is doing this after hours or during holidays, when personnel may not be present to manually block the data transfer. Accordingly, he said, organizations should "coordinate egress restrictions in all offices."

For organizations that want to specifically protect Macs against APTs, however, expect challenges. Notably, while there are well-known disk forensic products--including Guidance EnCase and BlackLight--"the problem is the disk forensics isn't how you fight APT anymore," said Stamos. "If you say that this machine is doing funny DNS requests, I'm going to pull it off the network and do disk forensics, well that's an 18-hour process, that's not a fast enough process to deal with these types of attacks." In fact, attackers may notice the missing machine, if not read actual stolen emails about hiring a forensics expert, and thus change their approach.

Instead, what's required is memory-based forensics, as offered by such products as Mandiant Memoryze, HBGary Active Defense, and Responder Pro. Except, those tools only work on Windows; none yet exist for Macs. Help could be on the way: Stamos said new Mac tools are in the works, and as with the recently publicized ability to pull Mac passwords from memory via FireWire, Thunderbolt connection technology should also provide forensic investigators with useful forensic capabilities. But there's nothing available today.

With all of the above in mind, Stamos recommends using Macs with caution, and only giving them access to some network resources. "We use Macs on our network," he said. "We treat them as I recommend you treat them--as little islands in a hostile network." Accordingly, his company also installs a 64-bit Windows 7 partition to give Mac users access to certain functionality, such as SharePoint.

Furthermore, security-conscious organizations should avoid using Mac OS X Server altogether, he said. Notably, a default Snow Leopard Server (10.6) contains 28 open network ports by default, as well as a number of other security vulnerabilities. "Once you install OS X server, you're toast," he said.

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.