There is a pervasive belief, even among security professionals, that Apple Mac devices are immune to security breaches. And while there is some truth behind that belief, it’s time that we take this particular attack vector more seriously.
In my opinion, part of the reason why folks have been rather complacent about Mac security is that they are built on a hardened Unix backbone that includes a number of built-in security tools, such as elevated privilege requirements, designed to protect against attacks. As a result, Mac users don’t operate at the "root" or admin level like most Windows users do. Anything that affects system stability or, for example, tries to deploy new services, often requires additional authentication. Which is why malware has a much more difficult time being deployed on a Mac system.
But another reason we haven’t seen many attacks targeted at Macs is that they have historically had such little market share when compared to Windows devices. For many cybercriminals, it just hasn’t been worth the time or effort to build tools to hack into Mac devices.
Not only are Macs continually gaining market share generally, they are growing in popularity within a demographic that is potentially very attractive to attackers. For example, in many organizations, C-suite executives and marketing teams are more likely to use Macs. And not only do these individuals use and share valuable information, they are also very often non-technical, which means they are less likely to be backing up their devices, encrypting stored data, or following other security best practices.
New attack opportunities and threat vectors are also making the targeting of Mac devices easier and more attractive. For example, we are beginning to see the development of hacking tools that target cross-compatible software. So, while it may take lots of work to target Mac OS, attackers can create attacks using something like Python, which runs on multiple platforms, and which is loaded by default on all Macs. And Ransomware may not even need special privileges to operate on a Mac system. It just needs to target personal files that are stored at the user home directory.
Even still, the opportunity to pull significant revenue from something like a ransomware attack aimed at a Mac device, even one owned by a CXO, is pretty small. How much is an individual Mac owner willing to pay to have their files decrypted? $50? $500? $5000? Now compare that with the potential windfall of holding an entire healthcare infrastructure for ransom.
But what if you could do this at scale? Because we are now also seeing the rise of cybercrime as a service. Rather than targeting lower-value devices or systems one at a time, cybercriminals have begun building malware “franchises” that allow wannabe criminals to sign up to leverage pre-built technology to target potential victims in exchange for sharing profits on the back end. So, while ransoming one device may not be of much financial value to professional cybercriminals, having hundreds of franchisees targeting thousands of devices every day certainly is.
At the same time, such an opportunity is very attractive to many small time players. A hacker working out of his or her parent’s basement in their spare time is likely to be very happy successfully targeting several devices a week at a couple hundred dollars apiece.
Unfortunately, we aren’t talking about some potential future threat. Our FortiGuard Labs team just reported on a new ransomware variant targeting Mac devices. Which means it’s time to get serious about protecting these devices.
Fortunately, there are a number of things Mac users can do to protect themselves and their assets.
When it comes to security, the only constant is change, whether you’re considering the way networks are evolving or how these changes are creating new opportunities for criminals. This makes it imperative that you approach security from a holistic perspective. That includes making sure that you are protecting every device across all threat vectors, including those devices, like Macs, that you thought were secure.