|Mistakes that Apple’s notarisation system made, have let malware to slip into the MacOS ecosystem meaning cyber-criminals have loaded adware onto devices of website visitors.
This begs the question of the received wisdom that Apple hardware & software is inbuilt to be safer than Windows.
According to a report by researchers at Objective-See, hackers penetrated Apple’s notarisation system that scans MacOS applications for malicious content, allowing system attacks.
Twitter user Peter Dantini (@PokeCaptain) was the 1st to see it. He noticed that the website homebrew.sh (not to be confused with the real Homebrew website brew.sh), was hosting an active adware campaign. The website tries to persuade users to get what appears to be the ‘latest version’ of Flash Player (although really it is disguised malware).
In Apple hardware, if the user agrees to install the software, MacOS won’t allow it to run as it is not notarised. In 1 case, Dantini noted that the OS failed to stop then notarised the software, which then tried to execute. This meant it had somehow got through Apple’s security.
The malware in question was ‘Shlayer’, a common piece of malware that targets Apple hardware, & uses various forms of adware. This raises issues over Apple’s handling of software approvals.
“As noted, Apple ‘quickish’ revoked the Developer code-signing certificate(s) that were used to sign the malicious payloads,” outlined Security Researcher Patrick Wardle of Objective-See. “This occurred on Fri., Aug. 28. Interestingly, as of Sun. Aug. 30 the adware campaign was still live & serving up new payloads. Unfortunately, these new payloads are still notarised.”
Neil Thacker, CISO EMEA & LATAM at Netskope, suggested that CISOs & information security teams should, at the very least, maintain a valid inventory of all not just Apple trusted applications & understand the function & data handling of these applications when installed on corporate devices.
“Many of these apps will have a direct connection to a corresponding cloud app through the use of an API, so CISOs should have the visibility into the corresponding cloud app & be able to identify if, & when an app behaviour change occurs.
As the average organisation uses well over 1000+ cloud apps, it’s imperative they keep this inventory updated,” he recommended.
Thacker added that there are common methods that CISOs could put in place to ensure apps containing malware are simply not installed. These processes include identifying new applications & testing to ensure the application is fit for purpose.
“This testing is key to understanding both the security of the application but also what data flows are expected. Visibility into these data flows is critical as it offers the opportunity to baseline activity & look for anomalies. Malware has a broad range of activities that can often be overlooked without understanding this.
Malware, for example, usually needs a command & control (C2) server to issue instructions. At Netskope, we have seen a rise in the number of usually trusted cloud apps that can be used for C2 purposes,” he explained.
‘Smug complacent’ Mac user?
Phil Stokes, Threat researcher at Sentinel One, suggested that people now have their Macs connected to so many other devices, that there is much scope for people who wish to gather data, observe adware, as well as more targeted actors within the business environment.
“So, the situation today is that there are a lot more threats for Macs than there have ever been before,” he observed.
“There’s also not a great awareness of that in general. If you compare it to Windows, you can ask even the most basic Windows user & they probably know what a Navy is or probably know that they need to have Windows Defender turned on.
“But with Mac users, I don’t generally get that sense of awareness. There is a sort of general feeling that, oh, well, it is a Mac, it is safe by design. That’s something that people really need to have.”
The 2 hackers were also linked to attempts to hack American biotech firms working on a Coronavirus (COVID-19) vaccine. The US govt. recently laid charges