FortiGuard Labs Threat Research

Cybercrime At Your Service, Mac

By Aamir Lakhani | June 12, 2017

There is a pervasive belief, even among security professionals, that Apple Mac devices are immune to security breaches. And while there is some truth behind that belief, it’s time that we take this particular attack vector more seriously.

In my opinion, part of the reason why folks have been rather complacent about Mac security is that they are built on a hardened Unix backbone that includes a number of built-in security tools, such as elevated privilege requirements, designed to protect against attacks. As a result, Mac users don’t operate at the "root" or admin level like most Windows users do. Anything that affects system stability or, for example, tries to deploy new services, often requires additional authentication. Which is why malware has a much more difficult time being deployed on a Mac system.

But another reason we haven’t seen many attacks targeted at Macs is that they have historically had such little market share when compared to Windows devices.  For many cybercriminals, it just hasn’t been worth the time or effort to build tools to hack into Mac devices.

But that is beginning to change.

Not only are Macs continually gaining market share generally, they are growing in popularity within a demographic that is potentially very attractive to attackers. For example, in many organizations, C-suite executives and marketing teams are more likely to use Macs. And not only do these individuals use and share valuable information, they are also very often non-technical, which means they are less likely to be backing up their devices, encrypting stored data, or following other security best practices.

New attack opportunities and threat vectors are also making the targeting of Mac devices easier and more attractive. For example, we are beginning to see the development of hacking tools that target cross-compatible software. So, while it may take lots of work to target Mac OS, attackers can create attacks using something like Python, which runs on multiple platforms, and which is loaded by default on all Macs. And Ransomware may not even need special privileges to operate on a Mac system. It just needs to target personal files that are stored at the user home directory.

Even still, the opportunity to pull significant revenue from something like a ransomware attack aimed at a Mac device, even one owned by a CXO, is pretty small. How much is an individual Mac owner willing to pay to have their files decrypted? $50? $500? $5000? Now compare that with the potential windfall of holding an entire healthcare infrastructure for ransom.

But what if you could do this at scale? Because we are now also seeing the rise of cybercrime as a service. Rather than targeting lower-value devices or systems one at a time, cybercriminals have begun building malware “franchises” that allow wannabe criminals to sign up to leverage pre-built technology to target potential victims in exchange for sharing profits on the back end. So, while ransoming one device may not be of much financial value to professional cybercriminals, having hundreds of franchisees targeting thousands of devices every day certainly is.

At the same time, such an opportunity is very attractive to many small time players. A hacker working out of his or her parent’s basement in their spare time is likely to be very happy successfully targeting several devices a week at a couple hundred dollars apiece.

Unfortunately, we aren’t talking about some potential future threat. Our FortiGuard Labs team just reported on a new ransomware variant targeting Mac devices. Which means it’s time to get serious about protecting these devices.

What Should You Do?

Fortunately, there are a number of things Mac users can do to protect themselves and their assets.

  1. Apply patches and updates. The vast majority of successful attacks exploit vulnerabilities that are months or years old, and for which patches have been available for a good while. Apple regularly provides security updates that users need to make sure they are implementing. You just need to make sure you are taking the time to apply them.
  2. Backup your device. Apple’s Time Machine service will automatically create full system backups, which means that if your system gets ransomed you can simply wipe your device and perform a full system restore from backup. But that’s just the start. If you regularly use or store critical information on your Mac, here are a few additional things you should do:
  1. Make redundant backups. Time Machine backup systems are often persistently connected to the device being backed up. It is a good practice to keep a separate backup stored offline so it can’t be compromised as part of an attack.
  1. Scan backups for vulnerabilities. Restoring a device with an infected backup defeats the purpose of backing up files. Make sure backups are scanned to ensure they are clean.
  1. Encrypt data stored on your device. While this may not be effective against many ransomware variants, it is good practice as it can protect your organization should your device become infected with malware that is designed to steal files and data.
  1. Install an endpoint security client. This may seem like simple advice, but it is actually trickier than it sounds. There are a number of applications out there that claim to optimize, clean, and protect your Mac system. And most of them ought to be avoided. You need to do your research here. A number of security vendors have developed tools that will not only protect your device, but tie that security back into your network security strategy, allowing you to leverage and share threat intelligence to better protect your device and its assets.
  1. Deploy security that covers other threat vectors. Email is still the number one source for malware and infection, so make sure that your organization has deployed an appropriate email security solution. The same is true for web security tools, wired and wireless access controls, cloud-based security, and network segmentation strategies that allow you to detect, isolate, and respond to threats found anywhere across your distributed environment.

When it comes to security, the only constant is change, whether you’re considering the way networks are evolving or how these changes are creating new opportunities for criminals. This makes it imperative that you approach security from a holistic perspective. That includes making sure that you are protecting every device across all threat vectors, including those devices, like Macs, that you thought were secure.