Cybercrime , Cybercrime as-a-service , Endpoint Security
Increased Enterprise Use of iOS, Mac Means More Malware
Lax Apple Device Security Could Be Costly For Enterprises: Experts Offer MitigationOnce, Apple devices were associated with home users and the creative industries, but today their use in the enterprise is more pronounced. Malicious actors have noticed the growing adoption of iOS and macOS platforms in the enterprise and as a result, viruses and malware for MacBooks - once a rarity - are becoming more common.
See Also: Gartner Guide for Digital Forensics and Incident Response
Growing Footprint
According to IDC, macOS devices were used in 23% of U.S. enterprises in 2021, iPhones accounted for 49% of business smartphones and iPads were the most-used tablets in the workplace.
"Growth in Mac usage among business users, especially for employees working remotely and given their choice of PC device, is pushing more businesses to formally adopt management tools and strategies around macOS, along with iOS/iPadOS and tvOS," said Phil Hochmuth, program vice president, enterprise mobility and client endpoint management, IDC, Boston.
Alcyr Araujo, founder and CEO of Mosyle, a Florida-based provider of MDM and Apple enterprise security solutions, tells Information Security Media Group that a new generation of workers is embracing Apple devices, especially in startups. He says that in 10 to 15 years, "Apple devices will be highly relevant in the enterprise."
While there is a perception of Apple devices as inherently secure, a lax attitude to securing Apple devices with the notion that these devices are secure by default could be a costly mistake for enterprises. Apple devices must be included in security assessments and auditing, as applicable to other devices, data and resources within the enterprise.
Increasing Threats
As adoption of macOS has increased, so has the prevalence of malware targeting Apple's desktop OS. Just last month, two new vulnerabilities, CVE-2022-22674 and CVE-2022-22675, were widely reported as being exploited in the wild in multiple Apple products. They could enable an attacker to take control - with root code execution privileges - of the affected device. CVE-2022-22675 was found in Apple iOS and iPadOS up to 15.4.0 - Smartphone Operating System -and classified as critical. According to VulDB, this issue affects an unknown code of the component AAppleAVD. Manipulation with an unknown input leads to a memory corruption vulnerability.
Apple responded in a few hours with an advisory and patches for macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. But Apple was criticized by some commentators for not making the patch available for older Mac computers running macOS Catalina and Big Sur.
This incident should alert enterprises with employee endpoint Mac devices that they must ensure patches and upgrades are applied as soon as they are available and be aware if vulnerabilities are not being fixed. Identity management and access control also need to be addressed.
Other examples of malware targeted at macOS and iOS devices include:
GIMMICK
This malware variant was discovered by Volexity in late 2021 on a system running frp - or fast reverse proxy - where it detected internal port scanning activity. The traffic was determined to be unauthorized and was coming from a MacBook Pro running macOS 11.6 - Big Sur. The system was immediately isolated for forensic analysis.
Volexity researchers determined that this malware was being used in targeted attacks by Storm Cloud, a Chinese espionage threat actor active across Asia, but that it had not been written specifically for macOS. They traced the attack back to IPStorm, a malware botnet first spotted last year targeting Windows systems that has since evolved to infect other platforms, such as Android, Linux and Mac devices.
Cryptomining
Malicious actors are also tapping Mac's computing power for cryptomining. In February, Trend Micro found that a coinminer sample sourced in early January 2022 uses several modified open-source components.
The sample used i2pd - a C++ implementation of the Invisible Internet Protocol client - to hide its network traffic. Trend Micro says the use of i2pd in a Mac malware sample is new.
Silver Sparrow
Priyanka Kulkarni-Joshi, cybersecurity specialist at investment banking firm UBS, Pune, India, says she encountered client incidents with Silver Sparrow, a payload-less malware compiled to execute natively on Apple Silicon chips. She also cites XcodeSpy malware for macOS, which spreads via malicious Xcode projects. It installs a custom Eggshell backdoor.
Derivative Malware
Some experts tell ISMG that malware targeting Apple devices are mainly variants of malware created for other platforms. "I believe the number of Apple-only malware is still not alarming. We can see more versions of the same malware as an attempt to evade any kind of control that solutions would be able to have on those devices. And I believe it's a consequence of the growing number of Apple devices in the enterprise," says Mosyle's Araujo.
Patrick Wardle, founder of Huwaii-based Objective-See, tells ISMG that the malware examples affecting macOS are not "wholly new" but are derivatives of existing malware. "Driven by the increased prevalence of macOS, malware authors have ported over their Windows or Linux malware. Recent examples include Dacls, IPStorm and GravityRAT. All now run natively on macOS," he says, adding that Mac-specific malware does exist and is increasing "in both prevalence and sophistication."
Writing malware specifically for Apple devices will require a new approach, due to their strong OS security framework and security features, such as app sandboxing, system integrity protection and built-in anti-malware, such as XProtect.
Vancouver-based Chester Wisniewski, principal research scientist at Sophos, tells ISMG that attacks targeting Apple devices have been slowly increasing for 15 years. "There is nothing dramatic about the current level of macOS and iOS malware, just a steady increase as their popularity has increased. Unlike PC attacks, attacks on Apple are often more targeted and sophisticated as some of the world's most valuable targets - journalists, politicians and celebrities - prefer Apple devices."
Wisniewski says he has not observed any ransomware attacks specifically targeting Apple devices. "I can't say there aren't any, but if there are, it is a very small number that isn't having enough impact to be noticed," he says.
"Even if Apple devices account for only 2% of an enterprise's endpoints, that is still a potential unprotected threat vector. The same device hygiene used on Wintel and Linux devices should be applied to Apple devices," says Tari Schreider, strategic adviser, Aite-Novarica Group.
CISO Perspectives and Actions
A Single Device Standard
Enterprises are now addressing the issue of malware targeting Apple endpoints. New York based Anand Atre, deputy chief security officer at Crux Informatics, says his company has "standardized on macOS as the sole environment" for its employee device program. He says users can choose their own mobile devices, and most of them choose either iOS or Android devices.
According to Atre, having a single device standard is "a fundamental step in securing the new normal remote work environment," and macOS was chosen "based on user preference, suitability for our core workloads and well-known inherent security benefits."
As for securing those devices, "User awareness is vital," Atre says, "from understanding acceptable use to security training and testing." He says his company uses Apple's native security features and has implemented "a robust management platform with MDM, extended detection and continuous monitoring."
MDM Solution
Chris Wallace, former CTO for the Carolina Cyber Center, North Carolina, and Buncombe County’s first CISO, says the county recently opted for Apple devices because they are easier to manage. He says the county government used an MDM solution mostly to enforce passcodes and lock timeouts. "Some staff were provided company devices which were full MDM for company use only. Other staff were BYOD, and MAM was used to manage company apps."
Jamf and Zscaler
Michael Everall, group CISO at IT provider YNV Group in London says his previous organization, 10x Banking, moved from a Windows landscape to "a very Apple-centric model." Everall says the company was "heavily invested" in cloud infrastructure O365 and AWS, so it initially tried to manage the Apple estate via Intune. "It didn't scale terribly well or provide the granularity of controls we required," he says, "so we moved to Jamf Pro along with Zscaler to provide us with tight cloud based restrictions and move toward a zero trust access to cloud infrastructure, such as GitHub." Everall says the developer community was a big driver for the move to Apple.
Schreider says it is important for CISOs to understand Apple's endpoint security framework, leveraging APIs to integrate with existing vulnerability monitoring and response systems such as SIEM and SOAR. "CISOs would be wise to consider the same risks associated with Dropbox as extant with Apple iCloud and look at their firewall options. Vulnerability scanning and anti-malware solutions are readily available for Apple's portion of the attack surface. The best recommendation I can provide a CISO that may have some bad Apples in their enterprise is to treat them the same as any other devices regarding security protocols," he says.
Call to Action for Enterprises
MacOs and iOS devices have been perceived to be very secure out of the box, due to the tight integration between the hardware, software and services in the Apple ecosystem. Apple is also those known for its strict validation of apps on the App Store - resulting in fewer malicious apps than seen on the Google Play Store. But vulnerabilities in the software are occasionally exposed, thanks in part to Apple's generous bug bounty program. As with CVE-2022-22674 and CVE-2022-22675 mentioned earlier, the company is usually quick to respond with patches and updates; it also provides plenty of documentation with security advice for businesses.
"One of the myths I commonly hear is that Apple device fleets are inherently secure. And, to some extent, there is a thread of truth in that sentiment. Apple technology is designed to intertwine its hardware, software and services as a secure architectural mesh. However, as we're learning from recent iOS threat disclosures, Apple devices have been, and can be, compromised. I have had more than one enterprise exclude their Apple devices from security assessments, believing that there is nothing further that can be done to secure these devices," Schreider says.