Despite the challenges we all faced in 2021, malicious threat actors targeting macOS- and iOS-based devices didn’t seem to skip a beat. In fact, security threats targeting the Apple ecosystem not only increased but became hyper-focused in their novelty. They repurposed existing attacks, developed new threats and combined multiple threats together to form multi-pronged payloads. These efforts were designed to provide malicious actors with various ways of infecting and compromising devices while maintaining persistence for future, as-of-yet-undeveloped forms of attack.
In this blog, we cover 10 security threats and vulnerabilities that impacted macOS and iOS endpoint security in 2021, what they were capable of and why they were so devastating.
The popularity of macOS among personal and corporate users alike continues to grow. And it’s no secret why. We have seen some great computers released in the last several years, with thinner, lighter, more powerful laptops in the MacBook Pro line and further development of the M1 silicon-on-a-chip (SoC) architecture to produce greater performance and efficiency. So it should come as no real surprise that a whopping eight new macOS malware families emerged in 2021, according to Apple security researcher Patrick Wardle.
1. XLoader: Initially detected as a Windows executable, the developers behind xLoader created a Mach-O binary that has seen threat actors offering it in a hosted environment in a malware-as-a-service offering. This allows anyone the ability to create their own XLoader-based malware as a macOS binary or .jar file with the aim of stealing credentials and recording keystrokes.
2. XCSSET: Detected by the Jamf Threat Labs, the XCSSET malware performs a bypass of Apple’s TCC protections, which safeguard privacy, by infecting Xcode workflows. The zero-day exploit works by secretly capturing the permissions from an existing app, then creating a unique app using the donor app’s pre-approved permissions set. The end result? A malicious app that runs with privacy-compromising permissions that the user was never prompted to approve.
3. Log4j: While not a macOS-specific threat, the Java-based exploit that hit computing systems the world over was significant enough given the number of systems that rely on Java libraries to power many apps and services. But the fact that it hit during the end-of-year holidays made it worse, forcing many organizations to scramble IT to contain the fallout until patches were made available to resolve the issue.
4. Shlayer: We also saw another malware threat detected by the Jamf Threat Labs that bypasses Gatekeeper protections. This variant of Shlayer works by crafting an application bundle using a malicious script, allowing for an app bundle downloaded from the Internet to be executed and skip File Quarantine, Gatekeeper and Notarization.
5. Silver Sparrow: This framework offered a few firsts for Mac malware, in that it reported back infection and persistence status to its creators, contained a Java-based payload that installs and setup C2 functionality for future attacks and was the first malware to run natively on Apple’s M1 architecture.
6. Sudo escalation: While “getting root” is certainly part of many an attacker’s strategies, the vulnerability identified in CVE-2021-3156, affecting Unix-based systems, also touched macOS. In essence, malicious users can give themselves sudo-level rights, which, as any IT admin will tell you, is the first ingredient in a recipe for disaster.
Alongside the growing number of organizations adopting remote or hybrid work environments, leveraging these powerful mobile technologies is a no-brainer for organizations looking for flexibility, while users can work from anywhere, anytime. But this too does not come without its cons. The downside, in this case, is increased risk to mobile endpoint security from spyware, vulnerabilities and persistent malware (yep, you read that right!).
7. Persistence PoC: Most malware on iOS runs in the memory space, making it so that, upon rebooting a device, the malware is cleared from the running processes and must be run again. Like its macOS sibling, persistence has always been something that would allow malware to continue to run, despite power cycling, but hasn’t been possible in iOS. That is until a security research team identified a vulnerability in how iOS processes feedback input, allowing malware to remain running in memory without utilizing a zero-day and being nearly undetectable to users.
8. CVE-2021-30883: Highlighting the importance of a regular patch management process, this vulnerability allowed an application to execute arbitrary code with kernel privileges. Essentially, this allows threat actors to perform local privilege escalation, escape from the app sandbox and may be combined as part of a much more powerful attack chain.
9. Pegasus: Initially developed as a piece of targeted spyware for law enforcement aimed at capturing data from suspected criminals, this spyware came to light in a big way after it was discovered by Amnesty International that the software was being used against journalists, activists and dissidents. Pegasus was eventually paired with zero-day vulnerabilities in iMessage and WhatsApp as part of a “zero-click attack” campaign that automatically installed spyware without users even answering text messages or phone calls.
10. XcodeSpy: Considered a supply-chain attack, this malware targets infecting Xcode projects, used legitimately by Apple developers to design new apps. Not only does this allow for threat actors to disrupt the development process, but it also allows them to gain broader access to a whole host of targets from anyone who successfully installs affected software on their iOS-based devices.
Back to the Future
In the ‘80s hit movie, the main character travels back to his present after visiting the past, only to find out that while certain things remained the same, other events were affected in the future. Mac cybersecurity shares a bit in common with BTTF in that respect. For instance, the malware mentioned in the earlier portion is not only still being exploited, but also acting as a sort of springboard for malicious authors to develop newer, more ingenious methods to distribute malware, compromise devices and steal data.
Like the bad penny that keeps turning up, ransomware never really left, it merely became more refined to further assert its dominance within the malware world. Like someone who has made the concerted effort to eat healthier, exercise daily and eliminate toxic behaviors from their life, ransomware, frankly, has never been more attractive for threat actors looking to get rich from the lucrative endeavor.
According to a Bloomberg article, “there was $590 million in suspicious activity related to ransomware in the first six months of 2021.” The amount for 2020, you ask? $416 million for the entire year!
If matters weren’t bleak enough with regards to ransomware, there’s a bigger concern looming on the horizon: Ransomware-as-a-Service (RaaS). That’s right, taking to the cloud, ransomware developers have opened shop, selling, or renting access to their infrastructure to bad actors that wish to carry out ransomware-based attacks, but may lack the requisite technical prowess and/or tools to deploy a campaign on their own.
Several “RaaS kit” models exist, from a monthly subscription to affiliate programs that see operators getting a percentage of the haul, pure profit sharing and one-time license fees. Make no mistake — with an average of $10 million per successful campaign, the incentive for turn-key operations to maintain the infrastructure is certainly there, with researchers warning that RaaS already accounts for almost two-thirds of ransomware campaigns in the past year.
The silver lining is that it’s not all doom and gloom. No, we don’t have a DeLorean capable of time travel to whisk us back to a simpler time, but the FBI has provided some excellent recommendations on how to better protect your organization from succumbing to the risks of ransomware threats.
Great Scott, your mobile fleet doesn’t have any endpoint protection!
No worries, contact Jamf or your preferred representative today to discuss what options are available that meet the specific needs and compliance requirements of your organization.