It's no surprise that Apple Mac computers have become prize attack targets in recent years, but the number of Dark Web threat actors pursuing macOS is rising at an alarming rate. Accenture's threat intelligence unit on Monday reported a tenfold increase in Dark Web threat actors targeting Macs since 2019, much of it during the past 18 months.
The findings come from Accenture Cyber Threat Intelligence (ACTI) and its Dark Web reconnaissance efforts. While threat actors have historically directed their attacks at Windows and Linux devices, the ACTI team has observed a vast Dark Web community of skilled attackers who have set their sights on Macs.
Thomas "Mannie" Willkan, a cyber threat intelligence consultant with Accenture's ACTI who monitors Dark Web activity, tells Dark Reading that threat actors have traditionally ignored macOS. "It was more lucrative and easier to target Windows and Linux, but now, they have changed their scoping," Willkan says. "I think, partly, it is because they are constantly innovating and trying to stay ahead of security measures. But also, it's because there's now an economic incentive to target the Mac."
Macs in the enterprise are often more vulnerable because organizations don't apply the same conditional access and other policies as they impose on Windows devices, says Jason Dettbarn, CEO of Addigy, which provides a macOS and iOS management platform. Dettbarn says CISOs are increasingly taking a more proactive posture toward the security of Macs.
"Even if Apple is more secure, CISOs want to make sure they are running the same processes as they are for Windows," Dettbarn says. Organizations have struggled with patching Apple devices with the same process as they update Windows PCs, he adds. Dettbarn is specifically referring to Rapid Security Responses for iOS, iPadOS, and macOS, Apple's new approach to delivering software updates, launched in May 2023.
"Rapid Security Response is considered to be the highest required patch, meaning you can assume it is actively being exploited," Dettbarn says. "Every CISO I know says 'We're not applying a patch unless we have a public disclosure of what it is.'"
Prominent Attacks and Groups
Macs now appeal to some of the most well-known threat actors, including LockBit 3.0, which ACTI says is creating specific ransomware strains, while new groups are also directing their focus on exploiting macOS. For example, ACTI says the group Monti claims to have a rewritten version of Conti's EXSI ransomware locker that can deploy operators dating back to REvil from 2019.
ACTI has observed exploits for Macs that sell at a premium over those targeting Windows PCs. For example, ACTI found one threat actor that offered $500,000 in December 2022 for a macOS Gatekeeper bypass or exploits.
Accenture managing director of global cyber response and transformation services Rob Boyce points to a growing number of "skilled actors" with sophisticated macOS-based attack tools. The threat actor advertised Apple Enterprise Certificates that can bypass macOS Gatekeeper, which has become "a highly desirable service for macOS-focused threat actors," Boyce writes.
Boyce points out that the MalwareHunterTeam security group discovered that LockBit 3.0 was believed to be developing ransomware directed at macOS. "Although the version was buggy, unfinished, and imperfect, LockBit 3.0 did confirm through its underground moniker 'LockBitSupp' that it was actively developing it," Boyce notes, adding it is the first confirmed established ransomware group targeting macOS with a "bespoke" ransomware strain.
Accenture also discovered that a well-known initial access broker with ties to the Conti and REvil ransomware groups purchased and tested the XLoader malware in 2022, which operates in macOS. Accenture anticipates the growth of threat actors targeting Macs will continue into 2024 and beyond.
Expanding Enterprise Mac Usage
The economic incentive is the increased presence of Macs in the workforce. According to IDC's July 2023 Worldwide Quarterly Computing Device Tracker report, Macs grew to an 8.6% share of the PC market in the second quarter, up from 6.8% during the same period a year earlier.
The growth of Macs has also resulted in more macOS-specific info stealers, remote access Trojans, loaders, and zero-days, Willkan says. ACTI says it has also observed Dark Web threat actors tied to initial access brokers, and potentially data extortion groups, claiming to have procured macOS-based info stealers.
"A lot of private users and a lot of industries are still under this false sense of security when they use Mac because they've been told that you can't be affected by a virus if you're on a Mac. And I think the criminals are relying on this notion."