For consumers and enterprises alike, macOS has a reputation for being a more secure operating system than Microsoft Windows, both because macOS has a smaller market share – making it a less attractive target for cybercriminals – and the built-in security features, commonly enforced by Apple, make it harder to exploit. There is one other element which is related to the almost “walled garden” app ecosystem in macOS. Ultimately, there is a widely held belief that macOS controls like codesigning, Gatekeeper and Apple’s notarization service are enough to prevent successful malware attacks, but Macs still do get malware.
The truth is that no operating system is impregnable, so it’s vital for organizations to understand the most common ways corporate macOS systems can be compromised by malware in order to protect against them.
1. The allure of free content
Free content download sites are often used to distribute macOS malware. There are plenty of websites offering free file sharing of music, movies and software (torrent sites), ‘cracked’ apps with ads and copy protection removed (cracked sites), and free “try before you buy” sites (shareware sites). It’s easy for corporate users to be lured in by free content, and bad actors are more than happy to use these free downloads as an opportunity to inject malware.
When free content is downloaded, the file can be made to look like one related to Adobe or Flash Player, and users are then asked to override Apple’s cybersecurity features, like macOS Gatekeeper. Once given a free pass through this gate, the corporate user may be exposed to adware or bundleware, potentially compromising the entire corporate system.
To prevent malware infections through free content downloads, organizations should start by ensuring the presence of an endpoint protection software (e.g., Next Gen AV). They should also employ the appropriate security controls to restrict access to online resources that are known to be malicious, or used to distribute possible malicious content.
Furthermore, the use of Mobile Device Management (MDM) provides organisations with more defined, granular and targeted management and security policies. These enable the ability to harden the OS and prevent possible over permissions, or restrict access to the specific systems configurations or access to applications like Terminal – which allows users to interact with the underlying Unix-based operating system macOS is built on – and ultimately the restriction of unsigned code execution all together. Corporate users should also be educated about the risks associated with downloading free content from unverified sources.
António Vasconcelos is Field CISO Director for EMEA at SentinelOne.
2. Deceiving users with malvertizing
The internet is awash with malicious ads targeting macOS users as part of so-called ‘malvertizing’ campaigns. These maliciously-crafted ads can run hidden code inside the user’s browser, redirecting them to sites showing popups with fake software updates or virus warnings. The intent is to spook the user into remediating the problem, only for them to discover their IT troubles have just begun. In the past year, macOS users have been targeted by malvertising campaigns like ChromeLoader and oRAT. ChromeLoader is a malicious Chrome extension that hijacks a user’s search engine queries, intercepts outgoing browser traffic and serves up adware to victims.
Malvertizing campaigns can be held at bay through firewalls and web filters that block malicious websites in the first place. Ad-blocking software can prevent most adverts from being displayed, which means the malicious code it contains cannot execute. However, this can impact the speed of page loading and performance.
3. Corrupting developer projects
Developers using macOS systems are an especially high-value target for malicious actors. In their line of work, developers are always striving to improve their productivity. As a result, rather than reinventing the wheel, developers rely on shared code rather than writing their own from scratch. While this saves time, there are numerous recent examples of attackers poisoning large-scale developer projects through malicious code.
XcodeGhost, a corrupted version of Apple’s existing Xcode development environment, was observed in China in September 2015. XcodeGhost produced malicious code aimed at Chinese developers. It put malicious code into any iOS app built using it, allowing a large volume of infected apps to be shared directly via Apple’s App Store.
To keep developer projects from being poisoned by malicious code, having stringent reviews of projects can limit the risk of unauthorised downloads from occurring. Educating developers on the risks of externally-sourced developer projects and secure development practices – such as secure coding guidelines, code review and code buddying – are also key.
4. Compromising open-source package repositories
Open-source repositories – centralized locations where developers can store and share their code – are widely used across many enterprise projects but are difficult to keep secure. There are many different repositories in multiple platforms and languages, including Python Package Index (PyPI), GitHub, and macOS-specific package managers and repositories like Homebrew and Carthage.
Attackers often carry out typosquatting attacks on such repositories, targeting people who might have simply misspelt the name of the repository. Another method is through dependency confusion attacks, where threat actors upload a malicious package with the same name as a legitimate software dependency – a piece of code or a library that a software package relies on in order to function – hoping that developers will download it instead.
The defenses against the threats posed by open-source repositories are similar to the ones deployed to protect shared developer projects, but to further mitigate this threat, security teams can also use private repositories and configure package managers not to default to a public repository. Other defense tactics include verifying package authenticity through code signing and periodic auditing and verification of externally-sourced code.
5. Trojan applications
Open-source package repository attacks can be extremely damaging, but they are relatively easy to detect. Threat attackers who prefer a stealthier approach may opt instead to trojanize popular applications to strike specific corporate targets.
One example is when sponsored links in the Baidu search engine were used to spread malware via trojan versions (known as OSX.Zuru) of the popular Terminal application, iTerm2. Closer examination revealed this campaign also used trojan versions of Microsoft Remote Desktop for Mac, which is a popular app in the corporate space. This suggests that bad actors are actively targeting users of tools for remote connections and business database management, much more common now with increased remote working and corporate users often switching between macOS and Windows devices.
To prevent attacks via trojan applications, organizations should verify that all code is signed and that code signatures match appropriate known developer signatures. There are also security tools that can restrict or prevent the execution of unsigned code, and as with all of the above vulnerabilities, an effective endpoint protection solution is key to both identify and prevent the presence of malware.
Keeping macOS systems secure
Despite the widespread perception that macOS is the safe bet when it comes to operating systems, even Apple has acknowledged that a malware problem on Macs exists. As macOS has become more popular with users, it’s also become a more attractive target for attackers.
To protect organisations, security teams need to stay vigilant about the vulnerabilities of macOS and work pre-emptively to defend against them. But with the right security protocols and tools, and an emphasis on endpoint protection to prevent and detect the execution of malicious code, companies will ensure that their belief in a safe and secure macOS can become a reality.
