It's Time To Take MacOS Security Seriously
Steve provides research, analysis, insight and commentary on topical issues and events.
He lives in New Zealand and has been working at FastTrack Software for 10 years as a cyber security analyst and technical writer.
The Numbers Don’t Quite Add Up
When it comes down to it, Microsoft Windows wins the operating system popularity contest by a fairly large margin.
You would think, looking at these percentages, that Admin By Request’s PAM solution would be protecting the corresponding numbers of devices running each of these operating systems.
But you’d be wrong.
The actual numbers indicate a skewed number of Windows to macOS machines that are covered by Admin By Request security software, meaning there are more unprotected macOS devices than there are Windows.
Privileged Access Management for Newbies
In case you’re new to Privileged Access Management, let’s start with PAM 101.
Privileged Access Management (PAM) is software that helps organisations manage their users, particularly those with privileged accounts.
Privileged user accounts are those that have more access and abilities within a network than regular user accounts.
They can install and uninstall software and drivers, modify system files, add and remove other user accounts and start and stop services.
PAM exists to ensure these user accounts are protected, and that privileged users can only undertake these actions safely.
A PAM solution that really goes the distance is one that:
- Controls what users have access to on their devices and the network.
- Monitors privileged user actions and activity.
- Can Audit these actions and activity in the case of a security breach.
Admin By Request covers all of these key requirements for macOS as well as Windows – but more on that later.
The MacOS Malware Myth
Back to our operating system conundrum: why is macOS struggling to get the protection it needs?
It all stems from the myth that Apple Macintosh devices can’t get viruses – which is exactly that: a myth.
Apple Macs can get infected with malware, but this occurrence has historically appeared to happen to a much lesser degree on macOS than on the Windows operating system.
Here are some reasons as to why macOS may have developed a reputation of being immune to viruses:
- The sheer number of Windows devices
We know the numbers: there are over four times more devices running Microsoft Windows worldwide than there are those running macOS.
This is significant for several reasons:
1. More numbers mean a larger target. It makes sense for attackers to go for the larger audience: Windows. A larger target audience means more damage can be done; within large companies are thousands of Windows end-user devices, meaning viruses have the potential to propagate further; more money can be made in the case of ransomware when larger, more profitable organisations are targeted.
2. Because the Windows platform is more commonly used worldwide, attackers are more likely to be familiar with the Windows operating system and therefore more skilled in creating malware that is tailored specifically towards this OS.
- MacOS is built on the foundation of UNIX
There are two points to note on this:
1. UNIX was developed first and has been around longer than Windows.
You know what they say about going around the block a few times: nothing much can shock you.
It could be argued that this is the case for macOS. If you trace back through macOS’ ancestry – done here by Defrag This
– it looks something like the following:
UNIX was created in 1969 – sixteen years before Windows was released in 1985. That extra time on the street could be a contributing factor to the misconstrued belief that Macs run a more robust operating system.
2. Speaking of robustness, macOS highlights built-in security as a key feature of its operating system, which, in the early days, may have given some truth to the “Macs don’t get malware” myth.
However, with the rise of increasingly complex malware and targeted, hand-launched attacks, macOS and Windows are both vulnerable and susceptible to malware – built-in OS security alone is not enough to keep up.
Can I Order a Big Mac and Files Please?
The proof is in the (Apple) pudding: there have been more than a few Mac-attacks in recent years that have caused havoc on the macOS platform:
2016 – KeRanger Ransomware Trojan
2016 saw ransomware target macOS for the first time, in the form of OSX.KeRanger, from an infected Transmission
(a BitTorrent client) installer. BleepingComputer reported
on the infection: executed remotely three days after being installed on the user’s computer, it would then proceed to encrypt files and demand payment of 1 bitcoin for decryption. The malicious installer was able to infect 7000 Mac devices, as it was signed with a legitimate Mac certificate, meaning it could bypass Apple's built-in security – told you so!
2018 / 2019 / 2020 – Trojan-family Shlayer
Under the guise of an Adobe Flash Player installer – a tried and tested favourite – OSX.Shlayer was the biggest threat to macOS users from 2018 to 2019, which has made a return to the macOS scene in 2020. Researchers at Intego did a breakdown
on the malware, which, once installed on a Mac device, begins downloading adware and PUPs (potentially unwanted programs) and promoting fake search engines to the user.
2020 – ThiefQuest File-Stealer
Just last month, BleepingComputer analysed file-stealing and data-destroying malware
disguised as ransomware, ThiefQuest. Downloaded from mainstream torrent sites in the form of pirated apps, the packages of compressed installer files appear to be legitimate to the user but contain malicious software and launch scripts, along with legitimate installers. Like most ransomware, files are encrypted upon launch and a READ_ME_NOW.txt
doc is created which instructs the user to pay a ransom of $50 to get their files back.
However, the ransom note raises two suspicions:
- There is no email provided for users to contact once they pay the ransom – so how do victims contact the attacker after they’ve paid up?
- An identical static Bitcoin address is used for all users to make payment to – meaning the hackers have no way of identifying which users have paid the ransom.
Based on these giveaways, and BleepingComputer’s further analysis
into the malicious code, it appears much more likely that ThiefQuest is stealing data under the guise of being ransomware.
These four attacks alone prove that Mac-tailored malware isn’t a myth, and threats like Shlayer and ThiefQuest are only going to surge – which is exactly what appears to be happening:
Mac-Attacks are On the Rise
For the first time, macOS threats are outpacing Windows threats.
Yes – you read that right.
Figure 1: Malwarebytes Labs 2020 State of Malware Report cover page and contents page 1 of 2.
Foreboding drumroll please:
Let’s delve into this statement:
- In 2019 Malwarebytes recorded an overall increase of 400+ in macOS threats. However, a portion of this increase is due to the rise in the number of Mac devices running Malwarebytes software.
- So instead, Malwarebytes focussed on the change in number of threat detections per endpoint device, finding an increase of 6.2% in the average detections per endpoint on macOS devices: from 4.8% in 2018 to a walloping 11.0% in 2019.
- Not only does this sizeable increase indicate that the average threats per macOS device are on the up, it also reveals that macOS threats are exceeding Windows – and by no small margin. In 2019, the average number of threats per Windows endpoint was 5.8% - less than half that of macOS:
Figure 2: Graph taken from Malwarebytes Labs 2020 State of Malware Threats Report showing Detetions per endpoint 2018-2019.
So, why the increase?
1. It could be put down to the increasing market share macOS is gaining worldwide, which makes it a growing and more appealing target to hackers – a bigger target = more damage, data, potential financial gains:
Figure 3: Graph provided by StatCounter showing Desktop Operating System Market Shares Worldwide from 2009 - 2020.
2. Malwarebytes provides another possible reason for the drastic rise in threats per endpoint: the failure of Mac security systems to address the huge amount of Adware and PUPs to the same extent that they do malware.
This has clearly become quite a significant problem, as Adware and PUPs make up the majority of the top 10 list of threats to macOS in 2019 in the Malwarebytes Report.
3. Which leads us to another factor that could make macOS a tastier-looking target for cyber criminals: the users. Apple Macs, along with other apple products such as the iPhone, iPad, Apple TV and Apple Watch, are known for their easy-to-use graphical user interface and minimalistic product design.
For this reason, it is far more likely for the not-so-tech-savvy staff to work with Apple Macs in the workforce.
Users with a lower level of technical skill could potentially appear much more attractive to attackers, who may perceive them as easy targets.
Preventing Attacks on Macs: Control, Monitor, Audit
So what can you do about it?
We mentioned earlier that Admin By Request has the solution – and that’s not a myth in the slightest.
Admin By Request does everything a good PAM solution should do:
1. Controls what users have access to on their devices and the network.
Admin By Request revokes admin rights
(very subtly of course) so that your end users only have the bare minimum privileges they need in order to do their job, with the software’s user portal providing the tools easily manage your users and adjust settings as needed.
When users do need to do a task that requires escalated privileges, they can do so during an elevated session, which commences upon a simple remote request from the users device, or after a PIN code is obtained from an IT admin. See more details here
under 3.Full Session Elevation
and 4.No Elevation, Elevation
Controlling user privileges this way essentially means they can’t simply download and install software onto your IT system the way they could when they had local admin rights; this makes it much harder for users to download and install malware onto your system.
2. Monitors privileged user actions and activity.
With requests, you can configure settings in the user portal so that users are required to provide a reason and wait for their request to be approved, with these being sent in real time to both the web and mobile applications.
Because Admin By Request requires users to make a request when want escalated privileges, no activity that could cause harm to your network can take place without your say so – and when (or if) you give the say-so, you have full visibility of everything that’s going on, thanks to the software’s logging capabilities – more on this below:
3. Can Audit these actions and activity in the case of a security breach.
All elevated sessions are logged and displayed in the Admin By Request auditlog, along with the details of what activity has taken place during the period of escalated privileges.
The auditlog records all of the information you may need in the case of suspicious activity, meaning potential security breaches and network infiltration are much more likely to be detected early and prevented.
But the real apple-teaser here is that Admin By Request is a cross-platform PAM solution: it offers a version for macOS as well as Windows, with no AD sync required.
Just to reiterate how sweet of a deal this is, here’s a real-life example:
Scenario: You have an organisation with 30,000 Windows devices and a grand total of 7 Apple Macs. You want comprehensive cyber security, and in fact, you’re required to cover ALL endpoints in order to be compliant.
Solution: You can get all of your endpoints – Windows or macOS – fully covered and compliant using Admin By Request as a single, easy-to-deploy PAM solution.
In a Macshell:
So if you’re really serious about taking macOS security seriously – or you simply have a few Apples in your organisation that don’t want to be left out – this is your solution to protect all your endpoints before the threats get out of control.
Admin By Request is now offering a free plan for up to 25 endpoints to help you make the move towards a more secure and managed macOS environment – give it a go here
and get ahead of the next Mac attack.