One of the most important aspects of an enterprise security program is adapting to new threats. Keeping up to date...
with evolving attack methods and malware techniques can help IT teams prioritize what is necessary and what is practical for enterprise security.
This is where internal and industry reports on incident and threat data are most useful. For example, Malwarebytes recently blogged about an increase in malware attacks against Mac platforms and how enterprises should prioritize Mac security.
In this tip, we'll take a closer look at the reported threats and the different enterprise defense techniques for Mac systems.
A closer look at the Mac malware report
The Malwarebytes report describes the high-level aspects of four Mac malware attacks reported early this year, including the following:
- OSX/MaMi has functionality for persistence and performs man-in-the-middle attacks via the domain name system. It also installs a fraudulent root CA certificate. While it's not particularly advanced, it appears to be a port of Windows malware for Mac.
- Dark Caracal is written in Java, so it can be used against any computer that executes Java code. It is an immature remote access tool that appears to be used by nation-state actors, but it only works on systems with Java installed -- so it shouldn't affect most systems running macOS 10.7 and later, as those versions no longer install the Java runtime by default.
- Creative.Update is distributed through a supply chain via a compromised third-party software distribution website. The malware is bundled with what appear to be legitimate apps that seem to run normally while they mine Monero cryptocurrency.
- OSX/Coldroot is a generic backdoor that doesn't work on Macs running current versions of macOS, including macOS 10.11 and later.
Enterprise defenses for Mac
Enterprise defenses against Mac malware look very similar to Windows-based tools, as the network defense will most likely protect endpoints regardless of which operating system the endpoint runs on. Macs have a built-in antivirus protection tool, XProtect, which can block some malware, but it is not as fully featured as commercial endpoint security tools, so implementing a third-party endpoint security tool could help block two of the malware attacks described by Malwarebytes.
Installing software from approved app stores and keeping the OS and software updated may block the other two strains of Mac malware that Malwarebytes identified. However, without knowing how malware got on an endpoint, it can be difficult to determine what other security controls can be used as part of a layered defense against the malware, which is a common issue.
There is also the question of how to avoid being attacked. While we would all like to avoid being attacked, it's virtually impossible to control an attacker's target. Enterprises might be able to prevent opportunistic untargeted attacks, but if an attacker specifically targets an enterprise, it can be difficult to stop. What most enterprises can do is implement security controls that can detect, respond and protect against attacks.
As a whole, Mac security receives less attention than Windows security, which can cause a false sense of security for users and can cause them to not take sufficient caution when using their computers. Enterprises and individual users need to maintain awareness that Macs -- just like any other systems -- are vulnerable to various security issues.
While news and industry reports can be alarming at first, assessing how the report applies to your enterprise and then implementing any necessary improvements can help ensure your enterprise effectively manages IT security-related risks.