Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/29/2020
07:50 AM
50%
50%

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

Despite reports that Macs have encountered more threats than Windows systems, the platform still sees far fewer exploits and malware - including ransomware.

The year 2020 kicked off with reports that Mac cyber threats had taken off, with machines encountering twice as many threats as Windows systems. But as the year came to a close, the average user of the Mac OS continued to see fewer malware and ransomware threats than Windows users, security experts say.

In February of 2020, endpoint security firm Malwarebytes reported that its Mac users encountered about twice as many "threats" as Windows users. Those threats, however, consisted mainly of potentially unwanted programs (PUPs) and adware, not malware.

Related Content:

A Rogues' Gallery of MacOS Malware

How Data Breaches Affect the Enterprise

New From The Edge: 5 Email Threat Predictions for 2021

While the data for the entire year has not been fully analyzed, the trend seems likely to continue, says Thomas Reed, director of Mac and mobile for Malwarebytes.

"On Windows, we have all sorts of exploits that happen—it is a much more common thing on the Windows side to, say, visit a website and suddenly your machine is infected," he says. "That really does not happen on the Mac OS."

Apple has typically benefited from its minority marketshare among desktop and laptop systems as well as a more tightly controlled ecosystem. Binaries typically must come from either the Apple App Store or a recognized developer, for example, to avoid requiring the user to specifically allow the program to install, a feature more restrictive than the AppLocker policy on Microsoft Windows.

Not Immune, Though
However, Apple's operating systems—both Mac OS and iOS—are certainly not immune to attacks.

A recent report by The Citizen Lab at the University of Toronto underscored that the commercial sale of zero-click exploits in iMessages, for example, continues to allow governments to buy access to target dissidents. Now, malware families that have previously only targeted Windows, and sometimes Linux, are also being ported to target Macs, says Ian Davis, a senior threat researcher at BlackBerry.

"Historically MacOS threats mainly centered around adware and trojanized downloaders of well-known software," he says. "While these less-than-lethal families are still the majority of encountered samples, advanced attacks and toolsets are now being developed and deployed along with their counterparts for Windows and Linux."

Overall, the sophistication of MacOS threats is increasing, the two researchers say. Previously encountered families on Windows or Linux are also now targeting MacOS systems. In 2020, the community saw increased cases of ransomware, botnet campaigns, and information-stealing backdoors in MacOS environments.

Mac User = The Vulnerability
While at least a quarter of the threats encountered by Windows systems are malware, less than 1% of those encountered by Mac systems are considered malware, Malwarebytes stated in its February report. Instead, attackers targeting the Mac look to fool the user into taking the necessary steps to allow malware to run. 

The tactics underscore that the user has become the most significant vector for running dangerous code on systems, and so companies should make sure to train Mac users to be more aware of security threats, says Blackberry's Davis.

"Users should exercise caution downloading or running software from untrusted sources and granting any added permissions, regardless of their chosen operating system or architecture," he says. "Threats continue to largely rely on users running the executable and/or granting administrator rights during execution rather than making use of exploits to escalate privileges and obtain persistence."

An interesting side effect of Apple's focus on tools to strengthen user privacy is that attackers are often blocked from accessing data on Macs, notes Malwarebytes' Reed. An attacker that wants to access to the user's address book, for example, will need to gain specific rights—an action that gives the user another attempt to recognize an attack. 

"Because of some of the privacy protections that apple is putting in place, in order to do that, I have to figure out a way to trick the user into giving me access into all the protected data locations on the system, such as Calendars, Addresses," he says.

"Mac OS is far from invulnerable when it comes to the attacker's perspective," says Malwarebytes' Reed. "I am always telling people at conferences—somewhat facetiously—that I'm disappointed in what some of the Mac malware does, (but) as long as you know that your target will fall for what you are doing, then why bother with something sophisticated."

Meanwhile, attackers overall are upping their game, and those developing malware for Macs are continuing to incorporate tactics pioneered by malware families on Windows and Linux, BlackBerry's Davis notes.

"The old adage that MacOS is not susceptible to malware is far from the truth and the gap between Windows and MacOS threats is closing," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
CVE-2021-32681
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
CVE-2013-20002
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2020-19202
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
CVE-2020-35373
PUBLISHED: 2021-06-17
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.