How safe are we with Apple MacOs?
Can MacBooks have viruses? Do Macs need antivirus?
We are still immersed in technological innovation, the slope is becoming steeper, however, much of this technology is helping us solve many significant operational tasks.
Speaking of cybersecurity in general, we are still behind, we are steps behind cybercriminals, unfortunately the attacks continue and with very good results, being successful in the majority of cases when they have been detected and made known.
The events that are not made known are simply to avoid damaging the reputation of the company and preserving a status that, if it were known that it was violated, would have the effect of mostly losing customers.
However, today I consider that it is not a question of whether you are attacked or not, but rather how you responded to the attack. How did you mitigate it? How did it impact you operationally, commercially and economically? Of course, if there was no damage. , it is a triumph and an alert, they have already seen you and will try again, so you have to continue preparing, you have to prevent, I have always told you that this is a very broad topic, for example I will tell you about a series of events that are alarming Because many think that having an Apple Mac is a guarantee of not battling viruses, well this is not true at all, look:
We have the example of a script, known as the macOS information thief called Atomic, this is distributed within a series of deliveries supposedly for the purpose of browser updates, which are obviously fake (they travel as a fake website).
This is unusual, since these campaigns were reserved for Windows, a system full of gaps, hence the constant updates and patches, well they changed and can now be expanded not only in terms of geolocation but also operating system.
Well, Atomic Stealer, also known as AMOS, first documented in April 2023, is part of a type of commercial stealer-type malware family that is sold by subscription for $1,000 per month, on the Dark Web, this Dude, it comes with capabilities to siphon data from web browsers and cryptocurrency wallets.
If malware does strike, Apple MacOS has ways to prevent it from spreading, but Mac users can still face various online threats, including spam and phishing emails, browser vulnerabilities, and identity theft.
Last September 2023, an Atomic Stealer campaign was unveiled that takes advantage of Google ads by turning them into a hook, deceiving Apple MacOS users who are looking for, for example: a financial charting platform known as TradingView, If they clicked on it they would download the malware.
ClearFake, on the other hand, is a fledgling malware distribution operation that employs compromised WordPress sites to send fraudulent web browser update notices in hopes of deploying thieves and other malware , and it is said to also open the door to more than one threat, such as joining a larger group of threat actors such as TA569 aka SocGholish, RogueRticate (FakeSG), ZPHP (SmartApeSG), and EtherHiding, which are known to use themes related to fake browser updates for this purpose.
Macs have built-in security measures, such as a firewall to block online attacks, however, Apple has several anti-malware features, they have sophisticated Apple MacOS runtime protections that work at all levels of the Mac to protect the system. against malicious software, this starts with integrated next-generation antivirus software, which is responsible for blocking and removing malicious software, also technologies such as XD Execution Disable, ASLR (Address Space Layout Randomization) and SIP system integrity) that make it difficult for malicious software to run and damage the system, and ensure that processes with root permissions cannot modify key system files.
Well, all of this is not enough, we still lack layer 8, or rather the end user for the security measures to work correctly, since it has been a trend since November 2023, the ClearFake campaign was expanded to target Apple MacOS systems with a nearly identical infection chain, leveraging hacked websites to deliver Atomic Stealer in the form of a DMG file.
This development is a sign that stealing malware continues to rely on fake or poisoned installation files for legitimate software through malicious ads, search engine redirects to malicious websites, drive-by downloads, phishing, and malware poisoning. SEO for its propagation.
"I find that the popularity of thieves like AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments, think about it, this is exponential with the use of AI and machine learning by cybercriminals"
Another example: The disclosure follows updates from another information thief, LummaC2, which uses a novel trigonometry-based anti-sandbox technique that forces the malware to wait until human behavior is detected on the infected machine, imagine reverse AI applied.
Malware bad actors have also been promoting a new feature that they claim can be used to collect Google account cookies from compromised computers that do not expire and will not be revoked even if the owner changes the password, it's all in the history, this will result in a major change in the world of cybercrime, allowing hackers to infiltrate even more accounts and carry out significant attacks.
This is a huge breach to cybersecurity, considering that these cookies appear more persistent and could lead to an influx of Google services used by people being hacked, and if the claim that a password change does not invalidate the session is correct, so we are facing a much bigger problem.
Recommended by LinkedIn
Great care must be taken and users trained, as the initial intrusion vector used to distribute the malware is not immediately clear , even though users may be manipulated into downloading and running it under the guise of legitimate software. .
We continue with the browsers, today the new version of these malware pretends to be a game installer and incorporates a greater number of functions focused on the Firefox and Chromium browsers, however, at the same time it takes advantage of the attractions related to the games to target cryptocurrency users.
I recommend that you read carefully when we are going to download any application from the internet on any operating system. What can give us an alert? The presence of grammatical and spelling errors is an indication that the developer's first language is probably not English.
“Unfortunately, as of today, the identity of the threat actor behind Atomic Stealer is not known.”
In the midst of Apple's evolution as the brand that most protects and guarantees the privacy of its users, some cybersecurity experts have found what they define as a security hole that would directly clash with the values towards which the brand is moving.
The failure was found just when the OCSP server collapsed, when updating to Big Sur it could not process all the certifications and instead, it opened the option for them to be updated without control, of course it collapsed, of course it is part of a controversy, because the information was withheld.
It is mentioned that, with Big Sur, Apple recorded communication with your Mac, in plain text and without security, each program you run, saving data such as the time or date and without you being able to do anything to avoid it, since its systems ignored the firewalls. or VPNs.
Reviewing my IMac logs, I verified that it is not true that Apple records your activity every time you open an 'app' or relates that record to your Apple ID, it is correct that it receives a 'hash' to ensure that you use an 'app' ' that complies with its well-known strict measures, however, there is a cache that allows you not to have to register every time you open an 'app' and it does not even upload a new 'hash' every time you open a program with the same name , it can be one for several programs, in other words, it does not clearly identify them.
Thinking on the other hand, it could be said that it is a matter of scales and the truth is that, if I am going to open this topic, we should also include the Windows 'Smart Screen', since it performs the same telemetry work to control certifications.
While it is true that now you can install apps from the App Store or the Internet without worrying about anything, as the brand's advertising says, I think that this operating system is very good, however, it is full of restrictions and the clear scope of the purchase-purchase, I have confirmed that the brand and its App Review make sure to review each of the apps before accepting it in the App Store.
The Gatekeeper on your Mac also guarantees that all Internet apps are analyzed by Apple to detect any malicious code, before you run them for the first time. Of course, if there is a problem with an app, Apple can quickly stop new installations and even block them. the app so that it does not run again.
This article is with the objective of opening the panorama towards cybersecurity more, I am sure that there is no invincible operating system, nor is there a computer security tool that protects you 100%, because there are vulnerabilities that are not yet known, Likewise, a large and expensive cybersecurity architecture is not very functional if we do not train our users and raise the level of our IT staff.
Nowadays there are CISO's or network security personnel, who are only receiving alerts, reviewing some screens and they do not look for trends, they do not look for patterns, they do not know how to recognize the symptoms, only what the solution screens send, I have It has been proven that knowing which path the adversary follows wherever he has arrived helps us close gaps and mitigate more effectively and promptly.
On one occasion, for some reason that I don't know, a CISO from another country who managed global cybersecurity, left the network that I managed in Mexico without internet, he blocked everything, in fact they didn't even have secure IP ranges, blocking even the corporate intranet, we never had a real report of the event for the IT staff, and even though they are certified in the CMMC, we always have to see the complete picture, because this can be the origin of a great loss, users, clients, suppliers , etc., I tell you that in our network in Mexico we did not have anomalous events, without patterns and trends, in this way I would like to provide you with this experience to carry out training, penetration tests, responses to incidents, determine responsibilities, there is a lot of scope for action and by being proactive in the different phases of network infrastructure and cybersecurity, you can raise the bar and make it more difficult for cybercriminals.
Thank you very much for your attention, we remain in contact and I look forward to your comments, we must support each other, whoever believes that they know everything, already has the first factor of insecurity.
His friend,
Asistente de Socios en Muñoz Manzo y Ocampo S.C.
1yThanks for the information, it is very helpful.