It’s increasingly rare these days to speak to a customer who is not aware of the need Mac OS protection however I’m sure those of you reading this will have come across at least a few in your time. Although like all great myths there is often a small element of truth and one thing Apple is great at is marketing.
Ah the good old days! If Only the number of “Viruses” was still this low!
This Ad from 2006 can still be seen here and so perhaps it’s unsurprising that there is still some misconception around Apple Mac devices and security in the workplace as ads such as these can linger in the mind. So, let’s take an up to date look at Mac threats and what Sophos can now do in terms of providing visibility and protection against these threats.
The truth is proportionally, there isn’t as much Mac Malware out in the wild as we see on Windows. However, there’s certainly is enough to be getting on with! A list of current OSX specific detections from Sophos Labs can be seen here.
Apple is also aware of OSX threats and has been for some time, which is why current versions of OSX comes with a client firewall and a security feature called Gatekeeper. Gatekeeper is designed to help prevent users downloading malware from compromised web sites. Unfortunately, Mac users are also very good at installing all sorts of “interesting” applications and tend to disable or ignore Gatekeeper – so making it useless. Back in 2016 we saw OSX/Keydnap allow cyber criminals to remotely access your Mac and use it as a beach head as for a more widespread attack into your organisation. It was also able to bypass Gatekeeper by packing OSX.Keydnap within a legitimate signing key. As was the case when the “Transmission” app was compromised.
For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains
A more current example of this is a new variant of this Trojan that is specifically designed to circumvent macOS Catalina’s security measures – Intego who discovered the malware, describe it in their security blog, here.
It’s hard to talk about endpoint security without mentioning ransomware these days and as you might have guessed Macs are no exception. Indeed, this summer, Security researchers have discovered a new ransomware strain targeting macOS users named OSX.ThiefQuest (or EvilQuest). Security researcher Patrick Wardle publised an in-depth analysis of the malware in his security blog, observing that encrypting the victim’s files, Thief Quest also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts.
The Bigger Picture
At an organisational level a Mac should be seen for what it is, just one more endpoint that an attacker could compromise. Increasingly we are seeing more targeted attacks and adversaries “living of the land”. If a criminal can steal credentials via phishing or brute force it doesn’t matter all that much what OS you are running. They can potentially use your own internal tools, file shares and protocols against you. What does matter is being able to detect a breach and have tools to see what a cybercriminal or insider threat may be doing and how they’re doing it so you can mitigate and protect against that threat.
This is where the need for Endpoint Detection and Response tools come into play.
As of September 15th, we have made Intercept X Advanced with EDR available for Macs this allows your customers to not only have Intercept X protecting them against the latest threats and Mac Ransomware but with EDR also gives them the visibility they need across their entire estate which as of now includes Windows Mac and Linux!
EDR for Mac includes both live query and liver response which leverages Osquery technology to query all your assets in your estate in real-time. These tools can be used to investigate a threat or just to get better visibility or your estate. To learn more about how the EDR product works look at the following release article.
The EDR release on Mac gives you that full across state visibility and is something that as well as providing you with the tools to do threat hunting can be used for day to day admin tasks.
As great as EDR tools are we realise not all customers and partners have the time or expertise to use these tools to do active threat hunting. That’s’ why we a few months back now, released our Managed Threat Response service. Which allows you and the customer to take advantage of all the great EDR tools but leave the threat hunting up to Sophos’s team of threat hunters providing 24/7 cover of your customer’s estate.
For an overview of protections, you can offer you customers with a Mac estate please refer to the following datasheet or reach out to your account manager.