Apple security protections were put to the test in the past week when hackers embedded ransomware in Transmission, a popular BitTorrent client. Ransomware is an increasingly common form of attack, where malicious software encrypts data on an infected computer and demands a ransom payment from the user in exchange for the key to decrypt their data. While ransomware has become disturbingly commonplace for Windows users, Mac has been largely immune from these threats. Apple has a long history of building strong security protections into their operating systems—such as GateKeeper and XProtect anti-malware schemes. However, as Mac usage continues to grow, it’s now a more attractive target for hackers. And, as with any computer system, there will be vulnerabilities that hackers seek to exploit.
In this case, hackers went after a software vendor rather than attacking the Mac system directly. They were able to embed malicious code in the Transmission.app installer. When a Mac user ran the installer, it passed the GateKeeper inspection because it was signed with a valid developer certificate issued by Apple. As soon as the malicious software was reported, Apple immediately revoked the developer certificate and updated XProtect anti-malware definitions to prevent any further infection. This incident demonstrates that while no system is entirely immune, Apple’s security scheme does its job by drastically reducing the window of time for an exploit to spread.
This attack is a good reminder of the importance of preventative security policies. Keeping your operating system up to date is the best course of action to protect your Mac from this type of attack. GateKeeper and XProtect are included with Apple’s OS X operating system and can automatically receive updates from Apple. Check your App Store preferences yourself and confirm that the “Install system data files and security updates” option is checked.
IT Professionals tasked with managing a fleet of Macs should consider taking additional steps to ensure the malicious software is removed from your network. Several IT pros detailed their approach here: https://jamfnation.jamfsoftware.com/discussion.html?id=19090