Over the past year, CrowdStrike® Services has observed threat actors increasingly targeting macOS environments — and using relatively unsophisticated methods to gain access. Even though workplace macOS systems have become increasingly popular, organizations often lack adequate macOS endpoint monitoring and management capabilities, compared to their Windows systems — making Macs lucrative targets for eCriminals.
Attackers are frequently gaining access using phishing attacks to capture legitimate user credentials or by targeting vulnerable public-facing infrastructure such as a corporate VPN lacking multifactor authentication. Once inside, they largely take a “living off the land” approach, using native macOS utilities or Apple App Store tools to move laterally to other systems and evade detection, sometimes for months. This type of malware-free attack is more likely to evade detection by legacy signature-based antivirus.
While adversaries prefer using legitimate credentials and corporate VPNs to maintain access to the victim’s environment, they occasionally leverage modified open-source malware to conduct operations and maintain persistence. While this malware could be detected by advanced next-generation security tooling, native macOS utilities can provide an attacker with the flexibility to remain undetected for command execution and persistence.
The lack of macOS endpoint management and security tooling can make it difficult for victim organizations to even be aware that an intrusion has occurred, let alone eject the adversary from the network.
What Can You Do?
CrowdStrike recommends the following practices for macOS environments:
- Implement stricter controls. Organizations can better detect and prevent threats against macOS environments by using a combination of security controls and next-generation endpoint protection technology. Restricting the pathways by which threat actors gain access and move laterally through macOS environments is critical to limiting the extent of compromises — even if phishing attacks are successful.
- Restrict Remote Desktop Protocol (RDP) access. It is essential that all available RDP connections undergo periodic review to eliminate unnecessary access paths often used by threat actors to gain entry to an organization’s environment. Remaining RDP connections should be deployed with multi-factor authentication capabilities to make it more challenging for threat actors to exploit these channels.
- Ensure real-time event recording. Real-time endpoint detection and response (EDR) tools, which are part of the CrowdStrike Falcon® platform, are essential for early detection, and with real-time data recorded in the cloud, records are not affected by log-clearing anti-forensic attempts.
- Utilize better triage tools. For incident response (IR) investigations, the right toolset is key to success. Triage tools such as CrowdStrike’s open-source Automated macOS Triage Collector (AutoMacTC, pronounced auto-mac-tic) are critical for scoping out an affected environment and quickly identifying compromised systems that require further analysis.
Download the complete report for more observations gained from the cyber front lines in 2019 and insights that matter for 2020: CrowdStrike Services Cyber Front Lines Report.
Leave a Reply