Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/29/2020
07:50 AM
50%
50%

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

Despite reports that Macs have encountered more threats than Windows systems, the platform still sees far fewer exploits and malware - including ransomware.

The year 2020 kicked off with reports that Mac cyber threats had taken off, with machines encountering twice as many threats as Windows systems. But as the year came to a close, the average user of the Mac OS continued to see fewer malware and ransomware threats than Windows users, security experts say.

In February of 2020, endpoint security firm Malwarebytes reported that its Mac users encountered about twice as many "threats" as Windows users. Those threats, however, consisted mainly of potentially unwanted programs (PUPs) and adware, not malware.

Related Content:

A Rogues' Gallery of MacOS Malware

How Data Breaches Affect the Enterprise

New From The Edge: 5 Email Threat Predictions for 2021

While the data for the entire year has not been fully analyzed, the trend seems likely to continue, says Thomas Reed, director of Mac and mobile for Malwarebytes.

"On Windows, we have all sorts of exploits that happen—it is a much more common thing on the Windows side to, say, visit a website and suddenly your machine is infected," he says. "That really does not happen on the Mac OS."

Apple has typically benefited from its minority marketshare among desktop and laptop systems as well as a more tightly controlled ecosystem. Binaries typically must come from either the Apple App Store or a recognized developer, for example, to avoid requiring the user to specifically allow the program to install, a feature more restrictive than the AppLocker policy on Microsoft Windows.

Not Immune, Though
However, Apple's operating systems—both Mac OS and iOS—are certainly not immune to attacks.

A recent report by The Citizen Lab at the University of Toronto underscored that the commercial sale of zero-click exploits in iMessages, for example, continues to allow governments to buy access to target dissidents. Now, malware families that have previously only targeted Windows, and sometimes Linux, are also being ported to target Macs, says Ian Davis, a senior threat researcher at BlackBerry.

"Historically MacOS threats mainly centered around adware and trojanized downloaders of well-known software," he says. "While these less-than-lethal families are still the majority of encountered samples, advanced attacks and toolsets are now being developed and deployed along with their counterparts for Windows and Linux."

Overall, the sophistication of MacOS threats is increasing, the two researchers say. Previously encountered families on Windows or Linux are also now targeting MacOS systems. In 2020, the community saw increased cases of ransomware, botnet campaigns, and information-stealing backdoors in MacOS environments.

Mac User = The Vulnerability
While at least a quarter of the threats encountered by Windows systems are malware, less than 1% of those encountered by Mac systems are considered malware, Malwarebytes stated in its February report. Instead, attackers targeting the Mac look to fool the user into taking the necessary steps to allow malware to run. 

The tactics underscore that the user has become the most significant vector for running dangerous code on systems, and so companies should make sure to train Mac users to be more aware of security threats, says Blackberry's Davis.

"Users should exercise caution downloading or running software from untrusted sources and granting any added permissions, regardless of their chosen operating system or architecture," he says. "Threats continue to largely rely on users running the executable and/or granting administrator rights during execution rather than making use of exploits to escalate privileges and obtain persistence."

An interesting side effect of Apple's focus on tools to strengthen user privacy is that attackers are often blocked from accessing data on Macs, notes Malwarebytes' Reed. An attacker that wants to access to the user's address book, for example, will need to gain specific rights—an action that gives the user another attempt to recognize an attack. 

"Because of some of the privacy protections that apple is putting in place, in order to do that, I have to figure out a way to trick the user into giving me access into all the protected data locations on the system, such as Calendars, Addresses," he says.

"Mac OS is far from invulnerable when it comes to the attacker's perspective," says Malwarebytes' Reed. "I am always telling people at conferences—somewhat facetiously—that I'm disappointed in what some of the Mac malware does, (but) as long as you know that your target will fall for what you are doing, then why bother with something sophisticated."

Meanwhile, attackers overall are upping their game, and those developing malware for Macs are continuing to incorporate tactics pioneered by malware families on Windows and Linux, BlackBerry's Davis notes.

"The old adage that MacOS is not susceptible to malware is far from the truth and the gap between Windows and MacOS threats is closing," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27180
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
CVE-2021-27181
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
CVE-2021-27182
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
CVE-2021-27183
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
CVE-2021-29449
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.