Defending MacOS Against Sophisticated Attacks

Posted: 14th April 2022
Defending MacOS Against Sophisticated Attacks

Our guest today is Phil Stokes. He’s a security researcher at SentinelOne, where he specializes in the analysis of attacks against MacOS.

In our conversation, Phil shares his professional journey, how he came to focus on the Mac platform, as well as insights on the state of security on Apple’s desktop operating system. He tracks the growing sophistication of those seeking to attack MacOS, and provides tips for security professionals looking to bolster their defenses.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 170 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest today is Phil Stokes. He's a security researcher at SentinelOne, where he specializes in the analysis of attacks against MacOS.

In our conversation, Phil Stokes shares his professional journey, how he came to focus on the Mac platform, as well as insights on the state of security on Apple's desktop operating systems. He tracks the growing sophistication of those seeking to attack MacOS, and provides tips for security professionals looking to bolster their defenses. Stay with us.

Phil Stokes:

I've come from an unusual background, I guess, for somebody in cybersecurity, in the sense that I started ... I mean, I've been involved with the Mac platform for something like 15 years or more, but I didn't really start getting into it in a technical way until about 10 or 11 years ago. And I just started out on Apple's support forums, troubleshooting, volunteering troubleshooting advice to people. And after a while, that led me to ... Most of the problems that were coming up back then were ... Or it started to be when we started to see security issues coming up like adware and things like that. And that, in a roundabout way, led me to develop my own software to basically deal with all these issues instead of answering people's questions all the time.

And so for about five or six years, I was developing my own software and doing that. And then about two years ago, I joined SentinelOne. Basically, they were looking for somebody who had a background in MacOS security issues to help with research and somebody who knew the threat scape and had seen it evolve. So that's how I got to today, if you like.

Dave Bittner:

Where do we find ourselves today when it comes to MacOS and the state of things when it comes to security? What's your estimation of where we are?

Phil Stokes:

Generally, the Mac is a safe platform. I don't think there's a big argument about that. But I think that the issue really is that there is a malware problem on MacOS which never existed maybe five or six years ago. And it's actually even escalated again in the last couple of years, I think. I think part of that is to do with the fact that Macs are nown far more often found in business environments, whereas they probably weren't going back those five or six years. They weren't really a popular business machine.

And I think it's also that, just to use a vague general term, threat actors have realized there is money to be made from Mac users. Possibly it comes with the development of the iPhone from 2007, but the fact that people now have their Macs connected to so many other devices, they’re a rich hunting ground for people who want to gather data, adware, and we also have some more targeted actors as well with the business environment.

So I think the situation today really is that there are a lot more threats for Macs than there's ever been before, but I think there's also not a great awareness of it. If you compare that to, say, Windows, you can ask even the most basic Windows user, and they probably know what an AV is, or probably know that they need to have Windows Defender turned on or something like that. But with Mac users, I don't generally get that sense of awareness. There's this general feeling that, "Oh, well, it's a Mac, it's safe by design." I think that's something that people really need to have a second think about the kind of threats that we see these days.

Dave Bittner:

It's my perception from the folks that I've talked to, that the majority of the malware hitting Mac users seems to be adware. It's that it's that classic "update your copy of flash" and then something gets installed that shows ads. Is that an accurate perception on my part?

Phil Stokes:

I would say so. I wouldn't like to give figures, because I don't really have the data to say that. But off the cuff, top of my head, I would say probably 70, 80, maybe even 90 percent of the stuff I actually see on a day-to-day basis is going to be adware and it's cousin, which is the stuff we call bundleware, all the potentially unwanted software that gets installed alongside. It says, "Download some software manager," and you get like 10 things like MacKeeper and all these utilities. So they're not really offering any value. They'd often get installed through hidden or very, very difficult to see check boxes and things like that. Cryptominers are also a thing. We've had LoudMiner and BirdMiner in the last couple of years, so they've been ... In terms of detections, we see those on the rise quite a lot.

And to a much lesser extent there's bits of spyware and data-stealing stuff. And of course, the things that get the headlines every now and again, are the things like Lazarus or APT, GMERA, very, very targeted things that are going after specific users. So yeah, I think that's a fairly accurate way to think about it in terms of the general user. I think the most threats that they're looking at are adware and bundleware. The other problem that I see developing is when we look at these adware and bundleware actors. There's an actor that in the media is generally called Shlayer, which has been pretty proactive in the last 18 months or so.

What you see is a lot of interaction between themselves and a lot of swapping. So you get adware that's also installing bundleware, and you get bundleware downloaders that are serving up adware. And it's difficult, actually, a lot of time, to pull apart the different players, all these pay per install things. Some of them are serving adware and some of them are serving genuine malware. So it seems as if there is a lot of interaction with these guys in terms of helping each other out to serve this ... I mean, I just call the whole lot malware, basically, if it's something that the user doesn't want and doesn't know, and it's not in their interests. As far as I'm concerned, you might as well call it all malware. The number of these things is what's really quite shocking when you look at just how much more of this is occurring. It's more this year than there was last year, almost exponentially. And there seems to be more players as well.

Dave Bittner:

Well, so you and your team recently published an ebook, and among the things you focused on were incident response and threat hunting on MacOS. Can you take us through, share with us some of the insights that are in that ebook when it comes to those topics?

Phil Stokes:

Our idea with the ebook was really, in a sense, was that we deal with a lot of SOC teams — security operation centers — that are very familiar with Windows, and they know their way around all their Windows devices, but maybe they've got a very small percentage of Macs in their fleet, and this is not necessarily a topic that they're very familiar with. So what we wanted to do was basically produce a book that would guide them through how do you triage a Mac device that comes into the IT team or the SOC team and it looks like it's either had malware on it or could have malware on it, or has been behaving in some way that's suspicious. So basically, the idea is to try to educate people who are not familiar with Macs about all the different places and the different ways that malware can get itself inside a Mac device.

So we talk particularly about persistence agents in the ebook. For me, when I'm triaging a machine, the first thing I want to look at is what is the persistence mechanism? Because 99 percent of all malware is going to have some way that it wants to stay on the system. So we talk about all the different persistence mechanisms that are possible on a Mac. So there's a whole chapter on that. And then we talk about how to actually look at a Mac and determine whether it's been manipulated in some way. So that might be, of course, looking at running processes that are actually live at the time, but also looking at historical things. How do you investigate the file system on a Mac? It's not the same as on a Windows device, obviously. How do you check what the network configuration is and has it been manipulated in any way?

I mean, Macs are special. In one very specific way, they're different from all other computing devices in the sense that the hardware and the software is all built by the same people. So there is this huge integration that you don't see on Windows devices, you don't see on Linux devices. And for that reason, there are lots of things hidden away that the operating system knows that you can find out about the history. And many people don't know about these things. Lots of hidden SQL databases, lots of little obscure utilities that only exist on MacOS, even though Mac is a Unix-based system, or Unix-type system, there's lots of command line utilities that you won't find on Linux or other Unix-based systems. So we try to talk through all these various different tools and databases that are useful if you want to basically find out what's happened on the system and where can I find evidence that the system has been manipulated?

Dave Bittner:

So what are your recommendations for folks who are out there and have a fleet of machines that they're charged with looking after? Perhaps they have a handful of Macs, perhaps they have a lot of Macs. Any suggestions, words of wisdom?

Phil Stokes:

Sure. The main thing that you need, especially if you're talking about a business enterprise situation, the main thing that you need is visibility, because the one thing that you don't get ... I don't know Windows, so I don't know if it's true there. The one thing that you definitely don't get on a Mac is any way to be able to tell what's going on in an easy way. For example, if you thought you had malware ... Or I often have this conversation with people where they just say, "Oh my Mac's great. It never gets any infections." And I say, "So how do you know? How would you check? Tell me, what tool would you use that could give you that confidence?" Normally, if people know anything about the Mac, the only thing they'll know is like, "Well, I can open up the Activity Monitor." And I'm like, "Yeah, but there's crypto miners that go to sleep when you open up the Activity Monitor for MacOS. They're programmed to do exactly that."

Apple has their own built-in security tools. They're okay, but they leave a lot of gaps. And one of the main things that they don't have is they don't offer, if you're an IT team, or if you're an admin, they don't offer you any visibility into what's going on. So I think you need some kind of software that's going to be able to give you that visibility, that you're going to be able to easily look at, how is this machine different today than it was yesterday? What's happened on this machine? If you find some suspicious launch agent or something, where did it come from? How do I see what it's connected to?

So my main advice is that there are ... There's lots of solutions out there that can do this. This is one of the things that ... As I said earlier, I originally started out as a software developer, and this is one of the things that I developed. But the point is, ask yourself the question, and then go find out the answer. How would I find out if my Mac had malware? That would be my first piece of advice. My second piece of advice would be to think about ... Again, if you're thinking more about IT teams and admins, think about, how do you control what your users do? Because almost all malware, 99 percent of it, is coming through user interaction, certainly on the Mac. I can't speak for other platforms. But on the Mac there might be some rare case where an APT actor steals your laptop and inserts something on the logic board. But in reality, 99 percent of malware is coming through user interaction. The user is downloading something, as you were talking about before, being convinced that they need some fake Flash player update.

So the question is, how can you, one, see what users are doing, and two, how can you control them? And there's various things you can do in terms of controlling devices. Apple has this MDM platform and there's third-party solutions like Jamf and Fleetsmith, where you can control various aspects of what users can change from an admin perspective. Certainly in an enterprise environment, I think that's an important part of your security posture, because the thing with Macs is almost every user by default is an admin user. And as soon as you download something and run it as an admin user, if it's not a sandboxed app from the App Store, that process has an enormous power to do things without you knowing what it's doing.

So it comes back to what I was saying earlier about visibility. But also if you're looking at it from a SOC or IT team perspective, you really want to be thinking about how can you get some kind of control to stop people infecting themselves, basically.

And thirdly, the last thing I would just say is, and I think this is a big one and it comes back to where I started, I think, is user education. Because as I say, Windows users have got the idea that there are threats there, that they need to have Windows Defender running or whatever. And I think Mac users haven't got there yet. I see this even with some of the thought leaders or influencers on Twitter and various social media platforms. They will argue that, "Oh, there's no real malware for MacOS and nobody needs security software." How would you know if you had some?

So I think just this idea that it's not a myth anymore, that there is ... You can go on VirusTotal and just do ... For those that have access to it, you can just do a search tag for MacO and just see how many new malwares are going up on a repository like VirusTotal every day. So people just need to be aware that, yeah, you can be safe if you are educated. As you say, there's a lot of ... The adware and stuff that we see there is just manipulating users who just don't know better. They trust stuff. And they just need to know that the situation has changed. It's not necessarily a trustworthy world out there.

Dave Bittner:

What are your thoughts as Apple has announced that they're going to be shifting to ARM chips? Is that a shift you're looking forward to? What do you think we're in for?

Phil Stokes:

Yeah, I don't know, actually. Personally, I'm looking forward to it. As I told you that I started off with Acorn RISC Machines, and that's basically where ARM itself comes from. So this is a reduced instruction set CPU. So as a reverse engineer, I'm absolutely like, "Yeah. Let's go. This is great stuff. Great to get away from Intel." But I don't know. I mean, in terms of your listeners, I don't know yet at this point. I think it's too early to say what that will mean in terms of the security situation. It's fairly clear with Big Sur and 10.16 or 11, whichever they finally decide on, it's fairly clear that there's a lot more lockdown coming. They're locking down the ... There's kernel integrity protection coming. They're locking down the system volume so much now that you won't even need FileVault on it.

So it's clear that Apple has got this whole concept, if you like, or philosophy, about locking down the system. And things like notarization that came in 10.14, I think, are all part of that. How that transitions into ARM, it remains to be seen. Sorry I couldn't be much more informative at the moment, but we don't have that much info on it.

So quite recently, we saw one of the very few instances of ransomware on the Mac, and it was a very unusual ransomware in the sense that it never really looked like the threat actors were that serious about making money, and in fact, from our investigation, didn't look like they made any money whatsoever. But the threat itself was interesting as a development because they actually included multiple different kinds of capabilities, in fact, all the kinds of capabilities that you typically associate with Windows malware. So there's a backdoor in there. There was spyware, data exfiltration stuff in there. There was privilege escalation in there, as well as the actual ransomware component that got all the headlines. And that, to me and to my colleagues, was something ... What struck us mostly about that was just how developed now these actors are becoming on the Mac platform.

I mean, a few years ago, anything that you saw on a Mac was very poorly conceived, and it was clear that the developers probably didn't come from a Mac background. And I think now that both that particular ... What was it called? EvilQuest or ThiefQuest, I think it was finally named. That particular piece of malware was clearly developed by people who were Mac developers. And the same story with the recent Lazarus. We did a post recently on four different families of Lazarus malware. And I think Kaspersky had done one on a framework as well a week before they attributed to Lazarus. And again, when you look at the code underneath from a reverse engineering standpoint, you can see that these are not developers from another platform, who are just trying to port something over. These are Mac developers. These are people that know Apple's APIs and Apple's coding languages inside out. And they're using everything from basic C libraries to Objective-C to Swift, the whole gamut of things that are available for Mac developers.

So this again is part of my perception that I think the whole malware scene on Mac is ... We can see that it has increased over the last few years, but I think it's developing as well. And as Apple develops their responses, it's clear that there are teams, threat actors that are out there that are responding in kind. So I think this is a problem that it's not going to go away with a quick solution from Apple changing some technology on their side. I think that the threat actors are heavily invested in the platform.

Dave Bittner:

Our thanks to Phil Stokes from SentinelOne for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.