Is your MacOS Safe?

Macs are safer, but…

We often hear that Mac users are less likely to be targeted by cybercriminals. This statement is true because of several reasons:

Apple’s macOS system is Unix-based, which makes it more difficult to exploit.
Hackers simply chose to attack more popular platforms. According to NetMarketShare, Windows accounts for over 88 percent of the market, compared to only 10 percent shared by Mac. That is why Windows users report more security incidents.
Apple does build effective security measures into macOS systems, including anti-virus software (e.g. Gatekeeper.) and password protections (e.g. iCloud Keychain) to prevent users from being attacked.

However, when people say that Macs are generally safer, they don’t mean Macs are invulnerable. On January 9, 2021, a macOS malware called Shlayer was detected abusing the zero-day vulnerability. This malware allows attackers to bypass Gatekeeper and install unapproved adware on Macs, earning money when a user clicks and views advertisements. This event proves that Macs do come under attack. Actually, we should make the fundamental assumption that any operating system will at some point be compromised, if not already.

In this blog, we will talk about how to keep your Mac safe with some best practices. But before that, let’s start with some common macOS vulnerabilities and threats.

macOS security vulnerabilities and threats

Technology is moving at a fast pace. To maintain security, we need to keep our knowledge updated. The CVE Details website is a good source of information about most known vulnerabilities for applications and operating systems. From the database, we can find the amount and severity of recent bugs and vulnerabilities in macOS.

To summarise, the biggest threats that vulnerabilities expose you to are unwanted programs, malware and compromised browsers.

Potentially unwanted programs (PUPs)

As noted in the Objective-by-the-Sea malware conference, around 20% of Macs are infected with Potentially unwanted programs or PUPs. PUPs are somewhat self-explanatory, being unrelated programs bundled with software you have downloaded. They are installed with your consent while quickly going through the installation process and, without carefully reading the End User License Agreement(EULA). PUPs may not be considered malicious or harmful but usually include annoying advertising, toolbars, and pop-ups. Hence they often employ huge amounts of system resources and slow down your operating systems.

Malware

AV-TEST Institute revealed that 674,000+ malicious programs were developed in 2020 to attack Apple computers, and the number is growing. Here are some of the most popular Mac malware.

Spyware is a computer program that hackers use to secretly follow your online activities and gather sensitive information. A type of spyware, a keylogger, records keystrokes when you type username and password and sends them back to the hacker’s server.
Ransomware is used by hackers to encrypt data on your computer then ask for payment to unlock them. KeRanger, for example, asked users to pay one Bitcoin for data recovery and it affected more than 7,000 Mac users. Unfortunately, there is no guarantee that your computer will be restored even if you pay the money.
Cryptojacker is a type of malware that uses your Mac’s resources like CPU and memory to mine cryptocurrencies (e.g. Bitcoins) for the attacker. Some cryptominers may also sniff the browsers’ cookies to steal victim’s crypto wallets.
Rootkit is a collection of malicious software designed to enable unauthorised access to a computer and often masks the existence of itself or other software. Rootkit is installed after an attacker has obtained root or Administrator access. Previously, macOS High Sierra had a vulnerability that could be exploited for a Rootkit attack, which Apple quickly patched after discovery.

MacOS can be infected by malware in different ways. For instance, clicking on a link contained in a phishing email will trigger the download of malicious programs. Sometimes malware can be embedded in a legitimate app and be installed with escalated privilege.

Compromised browsers

In 2019, Mozilla released a patch fixing zero-day vulnerabilities in Firefox that allowed code to break out of a security sandbox. Hackers exploited these vulnerabilities to install backdoors on Macs and gather account information from Mac users.

Browser hijacking was also observed with Apple Safari. People received a “pop-up phishing” message warning of a major security issue with the website and advised downloading certain tools to fix the problem or calling a fake phone number for support. Then the web browser can be infiltrated with malware after the victim installs malicious browser extensions or fake application updaters.

If your browser is infected, cyber criminals can replace your search engine home page or insert malicious code into the website Javascript. As a result, you may see continuously displayed advertisements or scam messages. What’s worse, your search history can be stolen and your privacy can be revealed.

How to protect your Mac

Macs can be attacked! So users should take action to protect their digital assets. Prevention, as a proactive way to mitigate risks, is one of the most effective methods to secure our Macs. In this section, we will look at some best practices to incorporate into your daily routine.

Patching

It is vital to keep your operating system or applications up to date. Patching, or updating, is a fix provided by the vendor to a vulnerability or bug and it addresses most of the zero-day attacks when a vulnerability is discovered. For example, in 2019, it was found that the Zoom app on Mac installed a web server, which allowed a web conference to begin without the user’s consent. Zoom released a patch for this vulnerability to prevent more Mac users from being affected.

You should pay particular attention to product updates from these important categories:

Applications that we use to interact with the Internet, such as browsers, browser extensions, and plugins
Applications that we use to read or edit downloaded and shared files
The macOS operating system. You probably would like to turn on “Automatically keep my Mac up to date” in the System Preferences > Software Update

If you install extra packages on macOS, it is recommended that you use Brew to manage those tools.

Brew can be installed in the Terminal using:

Browser security and privacy

Spending most of the time surfing the Internet, we need to ensure our web browser is safe. There are a few ways to secure Safari on Mac.

We can configure Safari with maximised privacy. Go to Safari > Preferences > Privacy and we can find several settings including website tracking, cookies and website data, Apple Pay and Apple card as well as web advertising. Checking “Prevent cross-site tracking” can prevent sharing search queries and cookies between websites, which in turn protects our privacy from being used by advertisers or hackers.

Safari allows us to surf privately to stop our website data or cookies from being saved or shared with other devices. To enable this, we can either use File > New Private Window or Shift+Command+N after launching Safari.

We may also clear website data manually by clicking on Safari > Clear History from the menu. And we use Safari > Preferences > Privacy > Manage Website Data to delete cookies and cache. By doing so, we can limit the ads displayed according to our browsing behaviour.

Turn on the Firewall

Mac has a built-in firewall to prevent unwanted inbound network connections. However, it may be switched off by default. As users, we should check the status by going to System Preferences > Security & Privacy and click on the Firewall tab. We can take one step further by clicking Firewall Options to see a list of applications that accept incoming connections. We can add or delete certain services in the configuration. We can also enable stealth mode to disable ICMP traffic or Ping, which helps our computers be invisible on public networks such as shared Wi-Fi.

MacOS’s Firewall offers protection from malware by shielding the computer from inbound traffic. However, the protection is limited because it doesn’t block outbound connections if a malicious program on the local computer tries to send a request to remote servers. Therefore, we may need additional tools or a third-party firewall to increase the security level.

PF (packet filter) firewall is a good option. It is developed for OpenBSD and it does firewalling in macOS and is comparable to iptables for the Linux system.

Use sudo to edit the configuration:

Know what’s going on in a more visible way

Now, imagine your organisation has many Apple devices or your employees access remotely to your network using their own Macs; things get more complex when you want to ensure all the endpoints are secured. To effectively monitor your security controls and get alerted when potential cyber attacks happen, you will need a SIEM (security information and event management) solution.

SIEM systems aggregate relevant security data from multiple sources and make them visible to users for investigation and analysis. For example, to get a comprehensive understanding of macOS security, we can gather system logs from the operating system, firewall logs from the PF firewall and security logs from IPS/IDS (Intrusion Prevention Systems/Intrusion Detection Systems) that are installed on the computer. The SIEM system enables us to correlate events to establish relationships and even use advanced analytics to do user and entity behaviour analytics (UEBA).

Elastic SIEM, a SIEM on the Elastic Stack, provides a powerful solution for security analysts to gather and visualise data in a central place. By installing agents (e.g. Beats) on the devices to collect logs and parse them into Elastic Common Schema (ECS), we can easily ship data from Mac to Elasticsearch for exploration, querying and analysis.

Elastic SIEM also has convenient built-in modules to triage events and perform initial investigations. Using Kibana, the front-end application, users can access the SIEM app to overview hosts performance and network events.

We can also use prebuilt rules in Elastic SIEM to create detection and trigger alerts. Some macOS-related rules look at logs generated from Mac and check on specific circumstances to detect possible attacks. For example, a built-in rule will check whether there is an action to collect the keychain storage data from a system. Since keychains are used for macOS to keep track of users’ credentials, including passwords, security notes and certificates, it is critical to ensure unauthorised parties do not acquire keychain data.

Like most advanced SIEM systems, Elastic SIEM also enables security orchestration, automation and response (SOAR) by integrating with incident response platforms such as TheHive.

The SOAR approach, as implied by its name, can organise different products in a single stack, automate repetitive threat detection processes and respond to these threats in real-time using playbooks. For instance, after aggregating data from multiple mac devices, Elastic SIEM flags a suspicious file as malware. Next, an alert is created in TheHive platform as a case and the investigation process begins. SOAR enables the automated retrieval of threat intelligence data so the Analyzer components in TheHive could check IOC (Indicators of Compromise) to validate the alert. Once the type and scope of threats has been identified, SOAR will take action to reduce the impact of attacks including isolating the host in the network, stopping the file execution as well as tracking IOCs for future forensics. In short, with SOAR security analysts can make quicker and better decisions because the alert noise will be largely reduced.

Conclusion

Even though macOS is regarded as safe and robust, we as users still need to mitigate the risk of cyber attacks. Some known vulnerabilities such as malware and PUPs can be prevented by regular patching and correct security settings. However, as more and more people are suffering from unknown or zero-day attacks, we need a holistic view to proactively detect anomalies and swiftly respond to alerts.

Elastic SIEM, for example, can be used to aggregate data from different sources including, operation systems logs and network security logs, which support security analysis based on normalised data. Read more here about how a centralised detection and response solution can be utilised to effectively protect your endpoint devices and even a broader IT environment.

Skillfield are here to help assess your digital assets and deploy security solutions. Contact us today to start a conversation on how to stay safe in daily life and daily work.

References

Author: Astrid Liu