alt=3D render of a stylized black and red checkers board with abstract pieces.
Cyber security
2025-01-23 Post a Comment

Dangerous new botnet targets webcams, routers across the world

Story by Sead Fadilpašić

  • Security researchers observe new botnet-building campaign called Murdoc
  • Its attacks are targeting IP cameras and routers
  • More than 1,000 devices have been identified as compromised

Cybersecurity researchers from the Qualys Threat Research Unit have observed a new large-scale operation exploiting vulnerabilities in IP cameras and routers to build out a botnet.

In a technical analysis, Qualys said the attackers were mostly exploiting CVE-2017-17215 and CVE-2024-7029, seeking to compromise AVTECH IP cameras, and Huawei HG532 routers. The botnet is essentially Mirai, although in this case it was dubbed Murdoc.

Qualys said Murdoc demonstrated “enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks.”

The persevering Mirai

The campaign most likely started in July 2024, and has so far managed to compromise 1,370 systems. Most of the victims are located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.

With a network of internet-connected devices (bots) under their control, malicious actors can mount Distributed Denial of Service (DDoS) attacks, bringing websites and services down, disrupting operations and causing financial and reputational harm.

Mirai is a highly popular botnet malware. Created by three college students in the US: Paras Jha, Josiah White, and Dalton Norman, Mirai became infamous in 2016 after orchestrating a large-scale DDoS attack on Dyn, that temporarily disrupted major websites, including Netflix, and Twitter.

The creators released the source code online, right before their arrest in 2017. They pled guilty to using the botnet for DDoS attacks and other schemes.

While law enforcement continues to target and disrupt the botnet, it has shown great resilience and continues to be active to this day.

Less than two weeks ago, a Mirai variant named ‘gayfemboy’ was found exploiting a bug in Four-Faith industrial routers. Although clearly spawned from Mirai, this new version differs greatly, abusing more than 20 vulnerabilities and targeting weak Telnet passwords. Some of the vulnerabilities have never been seen before, and don’t have CVEs assigned just yet. Among them are bugs in Neterbit routers, and Vimar smart home devices.

read more
alt=Abstract red digital background with white "ivanti" logo in the center.
Cyber security
2025-01-10 Post a Comment

Ivanti warns of new Connect Secure flaw used in zero-day attacks

By

Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.

The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers’ appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.

CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a unauthenticated attacker to remotely execute code on devices.

While the flaw impacts all three products, Ivanti says they have only seen it exploited on Ivanti Connect Secure appliances.

“We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure,” reads an Ivanti blog post.

“We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways.”

Ivanti has rushed out security patches for Ivanti Connect Secure, which are resolved in firmware version 22.7R2.5.

However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21, according to a security bulletin published today.

Ivanti Policy Secure: This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. We are not aware of these CVEs being exploited in Ivanti Policy Secure.

Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025. We are not aware of these CVEs being exploited in ZTA Gateways.

The company recommends all Ivanti Connect Secure admins perform internal and external ICT scans.

If the scans come up clean, Ivanti still recommends admins perform a factory reset before upgrading to Ivanti Connect Secure 22.7R2.5.

However, if the scans show signs of a compromise, Ivanti says a factory reset should remove any installed malware. The appliance should then be put back into production using version 22.7R2.5

Today’s security updates also fix a second vulnerability tracked as CVE-2025-0283, which Ivanti says is not currently being exploited or chained with CVE-2025-0282. This flaw allows an authenticated local attacker to escalate their privileges.

As Ivanti is working with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks, we will likely see reports about the detected malware shortly.

BleepingComputer contacted Ivanti with further questions about the attacks and will update this story if we receive a response.

In October, Ivanti released security updates to fix three Cloud Services Appliance (CSA) zero-days that were actively exploited in attacks.

read more
alt=A person wearing a hoodie is focused on using a laptop computer in a casual setting.
Cyber security
2024-12-30 Post a Comment

Tech Ransomware is 35 years old and now a billion-dollar problem. Here’s how it could evolve

thumbnail

Ryan Browne
Key Points
  • Dating back to the 1980s, ransomware is a form of malware used by cybercriminals to lock files on a person’s computer and demand payment to unlock them.
  • The technology — which officially turned 35 in December — has come a long way, with criminals now able to spin up ransomware much faster and deploy it across multiple targets.
  • Experts expect ransomware to evolve even further, with modern-day cloud computing tech, artificial intelligence and geopolitics shaping its future.
As the ransomware industry evolves, experts are predicting hackers will only continue to find more and more ways of using the technology to exploit businesses and individuals.
As the ransomware industry evolves, experts are predicting hackers will only continue to find more and more ways of using the technology to exploit businesses and individuals.
Seksan Mongkhonkhamsao | Moment | Getty Images

Ransomware is now a billion-dollar industry. But it wasn’t always that large — nor was it a prevalent cybersecurity risk like it is today.

Dating back to the 1980s, ransomware is a form of malware used by cybercriminals to lock files on a person’s computer and demand payment to unlock them.

The technology — which officially turned 35 on Dec. 12 — has come a long way, with criminals now able to spin up ransomware much faster and deploy it across multiple targets.

Cybercriminals raked in $1 billion of extorted cryptocurrency payments from ransomware victims in 2023 — a record high, according to data from blockchain analysis firm Chainalysis.

Experts expect ransomware to continue evolving, with modern-day cloud computing tech, artificial intelligence and geopolitics shaping the future.

How did ransomware come about?

The first event considered to be a ransomware attack happened in 1989.

A hacker physically mailed floppy disks claiming to contain software that could help determine whether someone was at risk of developing AIDs.

However, when installed, the software would hide directories and encrypt file names on people’s computers after they’d rebooted 90 times.

It would then display a ransom note requesting a cashier’s check to be sent to an address in Panama for a license to restore the files and directories.

The program became known by the cybersecurity community as the “AIDs Trojan.”

“It was the first ransomware and it came from someone’s imagination. It wasn’t something that they’d read about or that had been researched,” Martin Lee, EMEA lead for Talos, the cyber threat intelligence division of IT equipment giant Cisco, told CNBC in an interview.

“Prior to that, it was just never discussed. There wasn’t even the theoretical concept of ransomware.”

The perpetrator, a Harvard-taught biologist named Joseph Popp, was caught and arrested. However, after displaying erratic behavior, he was found unfit to stand trial and returned to the United States.

How ransomware has developed

Since the AIDs Trojan emerged, ransomware has evolved a great deal. In 2004, a threat actor targeted Russian citizens with a criminal ransomware program known today as “GPCode.”

The program was delivered to people via email — an attack method today commonly known as “phishing.” Users, tempted with the promise of an attractive career offer, would download an attachment which contained malware disguising itself as a job application form.

Once opened, the attachment downloaded and installed malware on the victim’s computer, scanning the file system and encrypting files and demanding payment via wire transfer.

Then, in the early 2010s, ransomware hackers turned to crypto as a method of payment.

Ransomware attacks could get worse next year, says TrustedSec's David Kennedy

watch now
VIDEO04:39
Ransomware attacks could get worse next year, says TrustedSec’s David Kennedy

In 2013, only a few years after the creation of bitcoin, the CryptoLocker ransomware emerged.

Hackers targeting people with this program demanded payment in either bitcoin or prepaid cash vouchers — but it was an early example of how crypto became the currency of choice for ransomware attackers.

Later, more prominent examples of ransomware attacks that selected crypto as the ransom payment method of choice included the likes of WannaCry and Petya.

“Cryptocurrencies provide many advantages for the bad guys, precisely because it is a way of transferring value and money outside of the regulated banking system in a way that is anonymous and immutable,” Lee told CNBC. “If somebody’s paid you, that payment can’t be rolled back.”

CryptoLocker also became notorious in the cybersecurity community as one of the earliest examples of a “ransomware-as-a-service” operation — that is, a ransomware service sold by developers to more novice hackers for a fee to allow them to carry out attacks.

“In the early 2010s, we have this increase in professionalization,” Lee said, adding that the gang behind CryptoLocker were “very successful in operating the crime.”

What’s next for ransomware?

As the ransomware industry evolves even further, experts are predicting hackers will only continue to find more and more ways of using the technology to exploit businesses and individuals.

By 2031, ransomware is predicted to cost victims a combined $265 billion annually, according to a report from Cybersecurity Ventures.

'Fully acceptable' now that you have to use AI in your cyber defense, Darktrace's Mike Beck says

watch now
VIDEO03:48
‘Fully acceptable’ now that you have to use AI in your cyberdefense: Darktrace

Some experts worry AI has lowered the barrier to entry for criminals looking to create and use ransomware. Generative AI tools like OpenAI’s ChatGPT allow everyday internet users to insert text-based queries and requests and get sophisticated, humanlike answers in response — and many programmers are even using it to help them write code.

Mike Beck, chief information security officer of Darktrace, told CNBC’s “Squawk Box Europe” there’s a “huge opportunity” for AI — both in arming the cybercriminals and improving productivity and operations within cybersecurity companies.

“We have to arm ourselves with the same tools that the bad guys are using,” Beck said. “The bad guys are going to be using the same tooling that is being used alongside all that kind of change today.”

But Lee doesn’t think AI poses as severe a ransomware risk as many would think.

“There’s a lot of hypothesis about AI being very good for social engineering,” Lee told CNBC. “However, when you look at the attacks that are out there and clearly working, it tends to be the simplest ones that are so successful.”

Targeting cloud systems

A serious threat to watch out for in future could be hackers targeting cloud systems, which enable businesses to store data and host websites and apps remotely from far-flung data centers.

“We haven’t seen an awful lot of ransomware hitting cloud systems, and I think that’s likely to be the future as it progresses,” Lee said.

We could eventually see ransomware attacks that encrypt cloud assets or withhold access to them by changing credentials or using identity-based attacks to deny users access, according to Lee.

Geopolitics is also expected to play a key role in the way ransomware evolves in the years to come.

“Over the last 10 years, the distinction between criminal ransomware and nation-state attacks is becoming increasingly blurred, and ransomware is becoming a geopolitical weapon that can be used as a tool of geopolitics to disrupt organizations in countries perceived as hostile,” Lee said.

“I think we’re probably going to see more of that,” he added. “It’s fascinating to see how the criminal world could be co-opted by a nation state to do its bidding.”

Another risk Lee sees gaining traction is autonomously distributed ransomware.

“There is still scope for there to be more ransomwares out there that spread autonomously — perhaps not hitting everything in their path but limiting themselves to a specific domain or a specific organization,” he told CNBC.

Lee also expects ransomware-as-a-service to expand rapidly.

“I think we will increasingly see the ransomware ecosystem becoming increasingly professionalized, moving almost exclusively towards that ransomware-as-a-service model,” he said.

But even as the ways criminals use ransomware are set to evolve, the actual makeup of the technology isn’t expected to change too drastically in the coming years.

“Outside of RaaS providers and those leveraging stolen or procured toolchains, credentials and system access have proven to be effective,” Jake King, security lead at internet search firm Elastic, told CNBC.

“Until further roadblocks appear for adversaries, we will likely continue to observe the same patterns.”

read more
alt=Google Chrome, the world's most popular web browser, displayed on a computer screen with vibrant colors and a user-friendly interface.
Cyber security
2024-12-30 Post a Comment

16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft

î „Ravie Lakshmanan

                                                                                                                                                                                                                                                                                               A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.

The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens.

The first company to be known to have been exposed was cybersecurity firm Cyberhaven.

On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external Command and Control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data.

“Browser extensions are the soft underbelly of web security,” says Or Eshed, CEO of LayerX Security, which specializes in browser extension security. “Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.

“Many organizations don’t even know what extensions they have installed on their endpoints, and aren’t aware of the extent of their exposure,” says Eshed.

Once news of the Cyberhaven breach broke, additional extensions that were also compromised and communicating with the same C&C server were quickly identified.

Jamie Blasco, CTO of SaaS security company Nudge Security, identified additional domains resolving to the same IP address of the C&C server used for the Cyberhaven breach.

Additional browser extensions currently suspected of having been compromised include:

  • AI Assistant – ChatGPT and Gemini for Chrome
  • Bard AI Chat Extension
  • GPT 4 Summary with OpenAI
  • Search Copilot AI Assistant for Chrome
  • TinaMInd AI Assistant
  • Wayin AI
  • VPNCity
  • Internxt VPN
  • Vindoz Flex Video Recorder
  • VidHelper Video Downloader
  • Bookmark Favicon Changer
  • Castorus
  • Uvoice
  • Reader Mode
  • Parrot Talks
  • Primus

These additional compromised extensions indicate that Cyberhaven was not a one-off target but part of a wide-scale attack campaign targeting legitimate browser extensions.

Analysis of compromised Cyberhaven indicates that the malicious code targeted identity data and access tokens of Facebook accounts, and specifically Facebook business accounts:

User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven)
User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven)

Cyberhaven says that the malicious version of the browser extension was removed about 24 hours after it went live. Some of the other exposed extensions have also already been updated or removed from the Chrome Web Store.

However, the fact the extension was removed from the Chrome store doesn’t mean that the exposure is over, says Or Eshed. “As long as the compromised version of the extension is still live on the endpoint, hackers can still access it and exfiltrate data,” he says.

Security researchers are continuing to look for additional exposed extensions, but the sophistication and scope of this attack campaign have upped the ante for many organizations of securing their browser extensions.

read more
alt=A diagram illustrating the HTML-based infection chain, showcasing the flow of malware through web vulnerabilities.
Cyber security
2024-10-23 Post a Comment

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

î „Ravie Lakshmanan

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish Framework to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT.

“The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain,” Cisco Talos researcher Chetan Raghuprasad said in a Tuesday analysis.

The targeting of Russian-speaking users is an assessment derived from the language used in the phishing emails, the lure content in the malicious documents, links masquerade as Yandex Disk (“disk-yandex[.]ru”), and HTML web pages disguised as VK, a social network predominantly used in the country.

Gophish refers to an open-source phishing framework that allows organizations to test their phishing defenses by leveraging easy-to-use templates and launch email-based campaigns that can then be tracked in near real-time.

The unknown threat actor behind the campaign has been observed taking advantage of the toolkit to send phishing messages to their targets and ultimately push DCRat or PowerRAT depending on the initial access vector used: A malicious Microsoft Word document or an HTML embedding JavaScript.

When the victim opens the maldoc and enables macros, a rogue Visual Basic (VB) macro is executed to extract an HTML application (HTA) file (“UserCache.ini.hta”) and a PowerShell loader (“UserCache.ini”).

The macro is responsible for configuring a Windows Registry key such that the HTA file is automatically launched every time a user logs into their account on the device.

The HTA file, for its part, drops a JavaScript file (“UserCacheHelper.lnk.js”) that’s responsible for executing the PowerShell Loader. The JavaScript is executed using a legitimate Windows binary named “cscript.exe.”

“The PowerShell loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory,” Raghuprasad said.

The malware, in addition to performing system reconnaissance, collects the drive serial number and connects to remote servers located in Russia (94.103.85[.]47 or 5.252.176[.]55) to receive further instructions.

“[PowerRAT] has the functionality of executing other PowerShell scripts or commands as directed by the [command-and-control] server, enabling the attack vector for further infections on the victim machine.”

In the event no response is received from the server, PowerRAT comes fitted with a feature that decodes and executes an embedded PowerShell script. None of the analyzed samples thus far have Base64-encoded strings in them, indicating that the malware is under active development.

The alternate infection chain that employs HTML files embedded with malicious JavaScript, in a similar vein, triggers a multi-step process that leads to the deployment of DCRat malware.

“When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript,” Talos noted. “The JavaScript has a Base64-encoded data blob of a 7-Zip archive of a malicious SFX RAR executable.”

Present within the archive file (“vkmessenger.7z”) – which is downloaded via a technique called HTML smuggling – is another password-protected SFX RAR that contains the RAT payload.

It’s worth noting that the exact infection sequence was detailed by Netskope Threat Labs in connection with a campaign that leveraged fake HTML pages impersonating TrueConf and VK Messenger to deliver DCRat. Furthermore, the use of a nested self-extracting archive has been previously observed in campaigns delivering SparkRAT.

“The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples,” Raghuprasad said.

“The SFX RAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.”

The Golang-based loader is also designed to retrieve the DCRat binary data stream from a remote location through a hard-coded URL that points to a now-removed GitHub repository and save it as “file.exe” in the desktop folder on the victim’s machine.

DCRat is a modular RAT that can steal sensitive data, capture screenshots and keystrokes, and provide remote control access to the compromised system and facilitate the download and execution of additional files.

“It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process,” Talos said. “The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file […] and exfiltrates the sensitive data collected from the victim machine.”

The development comes as Cofense has warned of phishing campaigns that incorporate malicious content within virtual hard disk (VHD) files as a way to avoid detection by Secure Email Gateways (SEGs) and ultimately distribute Remcos RAT or XWorm.

“The threat actors send emails with .ZIP archive attachments containing virtual hard drive files or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim,” security researcher Kahng An said. “From there, a victim can be misled into running a malicious payload.”

read more
alt=1. A man stands before a laptop displaying a broken heart, symbolizing emotional distress or heartbreak.
Cyber security
2024-08-28 Post a Comment

Infostealers Waltz Through macOS to Grab Crypto Wallets, Browser Creds

Ironically, Macs’ lower risk profile may make them more susceptible to any given threat than the average Windows or Linux system.

Nate Nelson, Contributing Writer

A new infostealer is trying to ride the coattails of one of the most prevalent malware tools on the planet, taking advantage of some inherent security shortcomings in macOS environments.

In a new blog post, Cado Security discusses “Cthulhu Stealer,” a new cybercrime tool making the rounds lately. It’s designed to nab cryptocurrency wallet and gaming credentials, as well as browser data. It isn’t particularly sophisticated, perhaps because it doesn’t have to be. Atomic Stealer — Cthulhu’s progenitor — has proven as much. In the past couple of years, this basically average stealer has become one of the most prevalent malwares across the globe. Perhaps, experts suggest, that has to do with some of the ways in which the security community has looked past Macs in the past.

Case Study: Cthulhu Stealer

Cthulhu Stealer is an Apple disk image (DMG) written in Golang. It typically arrives in front of a victim’s eyeballs masked as a legitimate software program, like the CleanMyMac maintenance tool or the Grand Theft Auto video game.

When opened, the program asks for the victim’s system password and, illogically, their Metamask cryptocurrency wallet password.

“It should look suspicious to users, but sometimes people download stuff and they might not be thinking,” notes Tara Gould, threat researcher at Cado Security. With Cthulhu’s target demographic in particular, “They could be younger, or maybe not as well-versed in computers. There’s a whole host of reasons why it may not potentially flag as suspicious.”

Once planted, the program gathers system data, such as its IP address, OS version, and various hardware and software information. Then it goes after its real aim: crypto, game account, and browser credentials. Targeted apps include the Coinbase, Binance, and Atomic crypto wallets, Firefox cookies, and Battle.net and Minecraft user data.

Despite running for $500 per month on cybercrime forums, Cthulhu Stealer is essentially unsophisticated, without any standout stealth techniques, and largely indistinguishable from at least one other commercially available offering in the underground.

The Road Atomic Stealer Paved

The most notable feature of Cthulhu Stealer is how closely it copies Atomic Stealer. Not only do they share many of the same functionalities and features, but Cthulhu Stealer even includes some of the same typos in Atomic Stealer’s code.

Atomic Stealer isn’t so remarkable itself. Previously, Dark Reading noted its lack of a persistence mechanism, and characterized it as “smash and grab” by nature. Still, it’s no wonder that other malware authors might want to copy it, since it’s one of the most successful infostealers in the world today.

In a report last month, Red Canary ranked it as the sixth most prevalent malware in the wild today, tied with the popular SocGholish and Lumma, and the ubiquitous Cobalt Strike. Its sixth place finish is actually a step down from previous Red Canary reports, which have included Atomic Stealer in its top 10 lists for the entirety of 2024 thus far.

“The fact that any macOS threat would make the top 10 is pretty staggering,” notes Brian Donohue, principal information security specialist with Red Canary. “I would venture to guess that any organization that has a meaningful footprint of macOS devices probably has Atomic Stealer lurking somewhere in their environment.”

How Enterprises Should Handle macOS Threats

Threats to macOS are distinctly less common than to Windows and Linux, with Elastic data from 2022 and 2023 suggesting that only around 6% of all malware can be found on these systems.

“Windows is still targeted the most, because large corporations all tend to still be very Windows-heavy, but that is shifting. A lot of enterprises are starting to increase the amount of Macs they have, so it is definitely going to become more of an issue,” Gould says.

Hackers aren’t all jumping on the bandwagon yet, but there is growing interest, perhaps because there’s so little interest on the part of defenders.

In an email to Dark Reading, Jake King, head of threat and security intelligence at Elastic, indicated that threats to Macs have risen less than 1% over the past year, adding, “While we’re not observing significant growth patterns that indicate enterprise-specific targeting of MacOS, it may be attributed to a lower volume of telemetry acquired from this OS. We have observed several novel approaches to exploiting vulnerabilities over the calendar year that indicate adversarial interest across a number of campaigns.” In other words: the data may indicate a lack of interest in macOS from attackers, or from defenders.

If runaway successes like Atomic Stealer do inspire more hackers to move operating systems, defenders will be working from a disadvantageous position, thanks to years of disinterest from the security community.

As Donohue explains, “A lot of enterprises adopt macOS systems for engineers and administrators, so a lot of the people who are using macOS machines are, by default, either highly privileged or dealing with sensitive information. And my suspicion is that there is less expertise in macOS threats across those organizations.”

There’s also less tooling, Donohue adds. “Take something like EDR, as an example. These started out as tools for protecting Windows systems and then were later co-opted into being tools for protecting macOS systems as well. And Windows machines have really robust application control policies, but there isn’t really similar functionality in macOS Gatekeeper (which is roughly analogous to Windows Defender). It’s pretty good at finding malicious binaries and creating YARA rules and signatures for them, but a lot of malware developers have been able to sidestep it.”

Elastic’s King adds, “Default operating system controls, while effective, are likely not evolving at a rate alongside adversarial behaviors.” For this reason, King says, “Ensuring sensible access permissions, sufficient hardening controls, and instrumentation that allows for organizations to observe or prevent threats on macOS systems remains important.”

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights