January saw the start of a new decade, one that promises to be full of new technologies, better and faster access to the internet and lots (and lots) of new connected devices! But device-wise, it might be time to let go of some preconceived safety notions before flashing the cash, as we recently saw the latest State of Malware Report released by Malwarebytes and it seems as if the cybercrime industry has grown up.
Not only are cybercriminals showing more sophistication in their hacking methods, they have also surprisingly started to move the majority of their efforts towards Mac devices. In fact, Mac threats have seen an increase of over 400% year-over-year with an average of 11 threats per mac endpoint, double that of the average 5.8 threats per endpoint on Windows.
The owners of iMacs and Macbooks have never considered themselves priority targets for cybercriminals due their lower user numbers and the organisational efforts by Apple to protect their customers, but the times have changed. According to Thomas Reed one of the report’s contributors, “There is a rising tide of Mac threats hitting a population that still believes that ‘Macs don’t get viruses. I still frequently encounter people who firmly believe this, and who believe that using any kind of security software is not necessary, or even harmful. This makes macOS a fertile ground for the influx of new threats, whereas it’s common knowledge that Windows PCs need security software.”
To make matters worse, the threats are not limited to Apple computers, iPhones and smart devices aren’t safe from malware either. There have already been a number of widely publicized instances where iPhones were hacked, most notably that of Jeff Bezos in 2018.
Luckily the brand is so far ahead when it comes to the know-hows of reputation management, that they have withered the blows with hardly any losses in market share. As Apple continues to grow its market share, it draws more cybercriminals to its platform who are actively working to develop malware for the OS.
We are already witnessing the rise of phishing and social engineering scams where attackers target an Apple ID in order to sell it to other criminals. Considering that an Apple ID gives a user access to Apple’s infrastructure, they are quite easy to monetise. Experts are also warning governments and especially financial institutions to be aware of possible targeted attacks, which can be far-reaching and extremely damaging, via individual devices that employees bring onto premises during working hours. The instances of “Juice Jacking” is also on the rise, as more and more of us make use of public ports to charge our electronic devices.
Experts predict a massive rise in the number of targeted attacks during 2020 and have been investigating the MacOS and iOS attacks that took place in the previous years to give us an indication of what we can expect. Given the current personal and Nationwide financial statistics, most believe the majority of the targeted attacks will focus on the financial sector and government institutions. Some of the most interesting previous targeted attacks included:
It seems as if developers got ransomware under control just in time to see the trends shifting. Cryptojacking has arrived and it is the most aggressive form of cybercrime being committed today.The Skygofree malware strain is capable of eavesdropping on Whatsapp messages, draining data from smartphones and it allows criminals to open reverse shell modules on a hacked device, giving the attacker full control of the device.
Victims were infected via man-in-the-middle attacks that would drive the user to landing pages that imitated their various mobile carrier websites. Once on the website, the user was asked to update their phone’s software – leading to the infection.
The activities of Sofacy, a remarkably professional cyber espionage group, is being closely monitored by various governments and private organisations. One of their favorite tools is XAgent, a set of malware that shares a common code base, each sample converted to infect a specific OS, including iOS and MacOS. And, they are targeting everyone. Luckily, we have plenty of means to stop hackers from messing with networks. The most recent detected versions of this malware for iOS appeared around the end of 2014 and the beginning of 2015 so it seems as if they are giving mobile devices some time off for the moment.
While investigating the Skygofree implant, experts started looking for other malware campaigns that used the results of a study of Apple’s MDM system conducted by the Intrepidus Group to jeopardise iOS devices. This resulted in the discovery of quite a few servers involved with similar campaigns that had been active since 2017 – presumably belonging to the Bahamut group.
North Korea’s Lazarus group focuses on cryptojacking techniques and malware. Cryptojacking is a form of malware that hides on devices and steals computing resources in order to mine for online currencies e.g. Bitcoin. In 2018 the group was linked to a campaign that was called “AppleJeus.” What made it unique was that this was the first time the Lazarus Group targeted MacOS. In essence the campaign was created to exploit a high level of trust among possible victims by means of a fake cryptocurrency company. The malware for this campaign also made use of a fake website and an app called JMTTrading.
In 2018 Manuscrypt, malware used in the cryptocurrency and financial sectors exclusively by the Lazarus group, was found to be engaged in suspicious activity in Turkey, Asia and Latin America. The newly discovered examples of the Manuscrypt malware were noticeably different from those uncovered during previous campaigns, as such it was renamed to Threatneedle.
The group Windshift’s focus lies primarily in highly targeted cyber-espionage campaigns directed at Middle Eastern commercial and government entities. One of the group’s custom MacOS backdoors was named Windtail in 2018. The malware gets delivered to a victim typically via an email with an attached .zip file that contains an application that disguised as an Office document.
The Finspy malware is used to collect a variety of a user’s private information across almost all devices. This malware falls under the four most common types. The latest activity was recorded in Myanmar in June 2019 and experts believe several hundred unique mobile devices have been infected to date. The malware collects information such as GPS location, contacts, emails, all files and photos, SMS and MMS messages, phone call recordings and all the data from the most popular messaging apps.
It does seem as if Apple is taking the new threats to their devices seriously. Recently the company launched an incentive program to encourage users to report any vulnerabilities with a bounty on offer of up to $1.5 million.
It is hoped that the bounty will incentivise security researchers to inform Apple rather than hackers of any flaws, making their products infinitely safer. You can also keep your Mac relatively safe by following these steps:
To reduce any corporate risk, companies should implement security awareness training and use dedicated security products. Now more than ever, it is important that security teams keep up to date with the new and emerging techniques, tactics and tools used by cybercriminals.