Within the realm of cybersecurity, macOS has held a reputation as a fortress, offering robust protection against malicious attacks. Nevertheless, recent developments have dealt a blow to this perception, with the emergence of infostealers posing an escalating threat to Apple’s ecosystem.
Despite Apple’s continuous efforts to bolster security through various features, no operating system is entirely immune to vulnerabilities that could be exploited by determined attackers. In this blog post, we will delve into the ever-evolving threat landscape surrounding macOS, examining its existing protective measures and the potential weaknesses that still exist.
Moreover, we will explore the tactics employed by infostealers to compromise macOS systems and gain unauthorized access to sensitive information. Finally, we will equip users with essential steps and best practices they can adopt to fortify their defenses and safeguard their valuable data from these growing threats.
The growing user base of macOS attracts threats
The surge in Apple’s market share and its widespread adoption within Fortune 500 enterprises has undeniably contributed to the growing attention macOS is receiving as a prime target for cyber threats.
However, the landscape has shifted significantly, with an increasing number of employees now using macOS devices as part of their everyday life or work environment. This broader user base with both enterprise and consumer users has become an appealing opportunity for malicious actors to exploit, prompting them to develop targeted malware specifically for macOS systems.
As the threat landscape evolves, the reach and impact of macOS-focused malware have amplified. Smaller threat actor groups have taken notice of this trend and started directing their efforts towards macOS as well.
Consequently, the once perceived security advantage of using macOS has faced new challenges, calling for heightened vigilance and protection measures to safeguard both consumers and corporate entities.
MacOS infection vectors:
There are several prevalent infection vectors when it comes to macOS infections, most of which are unfortunately reliant on user interaction. These vectors range from deceitful email attachments and counterfeit software updates to fraudulent tech support schemes and backdoored applications.
These avenues include the distribution of infected applications, exploited URL schemes (https://objective-see.org/blog/blog_0x38.html), and tampered Xcode projects such as XCSSET (https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf).
Infostealers on the rise:
Out of the box, macOS systems come built in with an active admin account. This admin account has powerful access to information stored on the macOS that infostealers are looking to exploit. They lure victims to type their admin password by fake system prompts.
Infostealers specialize in stealing sensitive data like keychain databases, login credentials, saved credit card information, and session cookies to online services from compromised devices. Intriguingly, infostealers may also choose between persistence or full removal to optimize their success potential. Infostealers can promptly extract data from a system without maintaining a persistent presence, such as in the case of the recent Atomic infostealer.
Mac protections summary:
Acknowledging that most macOS infections require explicit user interactions, Apple has actively implemented various features to safeguard users from falling prey to deceptive phishing tactics. And to prevent user frustration arising from potential false positives generated by these safeguards, Apple provides manual overrides for its security mechanisms.
However, therein lies a challenge; malware groups have taken advantage of these manual overrides. They mimic the macOS aesthetic, effectively deceiving users into using these bypasses to gain unauthorized access to sensitive information.
For example, the combination of “File Quarantine” and “Gatekeeper” technologies functions as both a warning system and a blocker against known malicious files.
When a file is downloaded from the internet or received through email, a “quarantine” attribute is assigned, indicating that it requires scanning. Upon attempting to open the file, users receive a warning message detailing its source and asking for confirmation before proceeding.
If “Gatekeeper” identifies the file as harmful, it will prevent its execution and display a message informing the user of its harmful nature and the subsequent block.
Aside from their susceptibility to manual bypass, the issue with these technologies stems from their reliance on the files being recognized and cataloged by Apple.
These systems operate on file signatures, which are like fingerprints, stored within Apple’s malicious software database. However, even slight alterations to a file can generate a distinct signature, rendering Gatekeeper almost ineffective in such cases.
Gatekeeper, just like any other security mechanism that guards against harmful execution, is prone to frequent 0-day bypasses due to its broad scope, which necessitates control over various aspects of the system.
Threat actors are continuously looking for ways to bypass Gatekeeper or use compromised enterprise software signing certificates to enable malware installations on macOS. F-Secure recently discovered one such Gatekeeper vulnerability, which has been patched by Apple
Apple later introduced additional security measures to enhance macOS’s protection. Central to this effort was the implementation of “notarization,” a comprehensive review process that macOS apps are subjected to if these apps seek to be “verified”. The aim is to ensure the apps adhere to Apple’s security and performance standards, providing users with a safer and more reliable computing experience.
Upon identifying a malicious app, Apple takes action by revoking the code-signing developer certificate used to sign the app, if applicable. This proactive measure extends to any other app developed under the same certificate, effectively removing them.
Manual bypasses remain
While these steps are commendable, they aren’t always foolproof. As of macOS Ventura 13.3, the system still retains the potential for manual bypasses of for example the notarization check, enabling the execution of unauthorized apps or known malware signatures, or unknown ones.
Since Apple’s System Integrity Protection (SIP) and XProtect technologies do well when it comes to protecting the macOS operating system, malware nowadays is choosing to persist through other means without touching the filesystem, and it is still able to extract and do a lot of harm through the system’s admin access.
As an example, macOS includes certain tools, such as the `security` command line that facilitates the identification and extraction of Keychain database encrypted files from the system without requiring a password.
By Apple: A keychain is an encrypted container that securely stores your account names and passwords for your Mac, apps, servers and websites, and confidential information, such as credit card numbers or bank account PIN numbers (https://support.apple.com/en-gb/guide/mac-help/mchlf375f392/mac). This same methodology of deriving encryption from user’s password is mirrored in Google Chrome, Mozilla Firefox, and many others.
Unfortunately, the user’s password serves as decryption keys for these Keychains, therefore a weak password can lead to an ultimate compromise of all credentials stored in Keychain.
A malware which tricks users into revealing their password effectively allows access to sensitive information such as passwords, cookies, and even website active sessions. The latter effectively allows bypassing multi-factor authentication.
For safeguarding against infostealers, macOS users must take proactive steps. Maintaining current software, including the OS and applications, is paramount. Caution should be exercised when handling files or instructions to install software, even from what looks like credible origins; Always stop and think: why is this installation guide telling me to install the app this specific way?
Augmenting defenses with reputable anti-malware tools like F-Secure is highly beneficial in these, and many other, cases: F-Secure Total catches a malicious file the moment it gets downloaded or blocks it from being executed even if the manual bypass is triggered by the user.