Defending macOS Against Sophisticated Attacks

Recently, SentinelOne researcher Phil Stokes joined Dave Bittner from CyberWire to discuss macOS security for Recorded Future’s Inside Threat Intelligence podcast. Phil discusses his journey into macOS Security and the recent release of SentinelOne’s free eBook for enterprise macOS Threat Hunting and Incident Response.

Listen to (or read) the full interview below, and get the SentinelOne macOS Threat Hunting and Incident Response eBook here!

170 Defending MacOS Against Sophisticated Attacks was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

This is recorded Future Inside Threat Intelligence for Cyber Security.

Dave Bittner:
Hello, everyone, and welcome to Episode 170 of the recorded Future podcast, I’m Dave Bittner from The Cyber Wire. Our guest today is Phil Stokes. He’s a security researcher at SentinelOne, where he specializes in the analysis of attacks against macOS. In our conversation, Phil Stokes shares his professional journey, how he came to focus on the Mac platform, as well as insights on the state of security on Apple’s desktop operating systems. He tracks the growing sophistication of those seeking to attack macOS and provides tips for security professionals looking to bolster their defenses. Stay with us.

Phil Stokes:
I’ve come from a kind of unusual background, I guess, for somebody in cybersecurity, in the sense that I started I mean, I’ve been involved with the Mac platform for something like 15 years or more, but I didn’t really start getting into it in a kind of technical way until about 10 or 11 years ago. And I just started out on Apple’s support forums, troubleshooting, you know, sort of volunteering, troubleshooting advice to people. And after a while, that led me to most of the problems that were coming up back then were or it started to be when we started to see security issues coming up, like adware and things like that. And that sort of in a roundabout way led me to develop my own software to basically deal with all these issues instead of answering people’s questions all the time.
And so for about five or six years, I was developing my own software and doing that. And then about two years ago, I joined SentinelOne.
Basically, they were looking for somebody who had a background in macOS security issues to sort of help with with research and somebody who kind of knew the threat scape and had sort of seen it evolve. So that’s kind of how I got to today.

Dave Bittner:
Where do we find ourselves today when it comes to macOS and and sort of the state of things when it comes to security? What’s your estimation of where we are?

Phil Stokes:
Generally, the Mac is a safe platform. I don’t think there’s a big argument about that. But I think that the issue really is that there is a malware problem on macOS, which never existed maybe five or six years ago. And it’s actually even escalated again in the last couple of years, I think. And I think part of that is to do with the fact that Macs are now far more often found in business environments where, as you know, they probably weren’t going back those five or six years. They weren’t really popular business machine. And I think it’s also that just to use a sort of vague general term threat actors, have realised there is money to be made from Mac users. I think, you know, possibly it comes with the, you know, the development of the iPhone from 2007. But the fact that people now have their Macs connected to so many other devices, they are a rich hunting ground for people who want to gather data, serve adware, and we also have some more targeted actors as well with the business environment. So, I think the situation today really is that there is a lot more threats for Macs than there’s ever been before, but I think there’s also not a great awareness of it. If you compare that to, say, Windows, you can ask even the most basic Windows user and they probably know what an AV is or probably know that they need to have Windows Defender turned on or something like that. But with Mac users, I don’t generally get that sense of awareness. You know, this is sort of general feeling that, oh, well, it’s a market. You know, it’s safe by design. You know, I think that’s something that people really need to have. Second, think about with the kind of threats that we see these days.

Dave Bittner:
It’s my perception from the folks that I’ve talked to that the majority of the the malware hitting Mac users seems to be adware, you know, people. It’s that it’s that classic, you know, update your copy of Flash and then something gets installed that shows ads. Is that an accurate perception on my part?

Phil Stokes:
I would say so. I think I wouldn’t like to give figures because I don’t really have the data to to say it up. But, you know, it sort of. Off the off the top of my head, I would say probably 70, 80, maybe even 90 percent of the stuff I actually see on a day to day basis is is going to be adware.
And it’s kind of cousin, which is the stuff we call Bundleware, you know, all the kind of potentially unwanted software that gets installed alongside, you know, it says download some software manager and you get like 10 things like mackeeper and, you know, all these sort of utilities that are not really offering any any value that often get installed through hidden or very, very difficult to see checkboxes and things like that. Crypto miners are also a thing we’ve had Loudminer and Birdminer in the last couple of years so that they’ve been in terms of detections. We see those on the rise quite a lot and to a much lesser extent, there’s bits of sort of spyware and data stealing stuff. And of course, the things that get the headlines every now and again is that, you know, the things like Lazarus or APTs, you know, very, very targeted things that are going after specific users. So, yeah, I mean, I think that’s a fairly accurate way to think about it. In terms of the general user, I think the the most threats that they’re looking at are adware and bundle where the other problem that I’m I see developing is when we look at these adware and bundle where actors and there’s there’s an actor in the media generally called Schleyer, which has been kind of pretty proactive in the last 18 months or so.
What you see is a lot of interaction between between themselves and a lot of swapping. So you get adware that’s also installing Bundall where and you get bundle where downloads that are that are serving up hardware. And it’s it’s kind of difficult, actually a lot of time to pull apart the different players, you know, all these sort of paper install kind of things. Some of them are self serving hardware and some of them are serving genuine malware. So. It seems as if there is, you know, a lot of sort of interaction with these guys in terms of helping each other out to. You know, serve this. I mean, I just called a whole lot malware, basically. It’s something that the user doesn’t want and doesn’t know and is not in their interests. And as you know, as far as I’m concerned, you might as well call it all malware. The number of these things is what’s really quite shocking when you look at just how much more of this is occurring. It is more this year than it was last year, you know, almost exponentially. And this seems to be more players as well.

Dave Bittner:
Well, so you and your team recently published an ebook in one of the among the things you focused on were Incident Response and threat hunting on macOS. Can you take us through share share with us some of the insights that are in that e-book when it comes to those topics?

Phil Stokes:
Our idea with the e-book was really in a sense was that, you know, we deal with a lot of SOC teams, a security operation, centers that are very familiar with Windows. And I know that, you know, their way around all the Windows devices, but maybe they’ve got, you know, a very small percentage of of Macs in their fleet. And this is not necessarily a topic that they’re very familiar with. So what we wanted to do was basically produce a book that would guide them through, you know, how do you triage a Mac device that comes into, you know, the IT team or the soccer team? And it looks like it’s either had malware on it or could have malware on it or, you know, been behaving in some some way it’s suspicious. So basically, the idea is to try to educate people who are not familiar with Macs about all the different places and the different ways that malware can get itself inside a Mac device. So we talk particularly about persistence agents in the ebook. That’s for me. When I’m trying to get a machine, the first thing I want to look at is what is the persistance mechanism? Because 99 percent of all malware is going to have some way that it wants to stay on the system. So we talk about all the different persistance mechanisms that are possible on a Mac. So there’s kind of a whole chapter on that. And then we talk about how to actually look at a Mac and and determine whether it’s been manipulated in some way.

So that might be, of course, looking at running processes that are actually live at the time but also looking at historical things. How do you investigate the file system on a Mac? It’s not the same as on a Windows device, obviously. How do you check what’s what the network configuration is and has it been manipulated in any way? And Max, ah, I mean, Max is special in a one very specific way that different from all other computing devices in the sense that that hardware and software is all built by the same people. So there is this huge integration that you don’t see on Windows device you don’t see on Linux devices. And for that reason, there are lots of things hidden away that the operating system knows that you can find out about the history. And many people don’t know about these things. Lots of hidden Ezekial databases, lots of little obscure utilities that only exist on macOS, even though Mac is a Unix based system or Unix type system with lots of command-line utilities that you won’t find on on Linux or Unix based system. So, you know, we try to talk through all these various different tools and databases that are useful. If you want to basically find out what’s happened on the system and where can I find evidence that the system has been manipulated.

Dave Bittner:
So what are your recommendations for folks who are out there and have, you know, a fleet of machines that they’re charged with looking after? Perhaps they have a handful of Macs, perhaps they have a lot of Macs. And any suggestions towards the wisdom?

Phil Stokes:
Sure. Well, I think, you know, the main thing that you need, especially if you’re talking about, you know, business, enterprise situation, the main thing that you need is visibility, because the one thing that you don’t get I don’t know windows. I don’t know if it’s true that the one thing that you don’t get on a Mac is any way to be able to tell what’s going on in an easy way. For example, I mean, if you thought you had malware or I often have this conversation with people where they just say, oh, you know, my Macs, great, it never gets any infections. And I say, so how do you know? How would you check? What tool would you use that could give you that confidence? And normally, you know, if people know anything about the Mac, the only thing they’ll know is like, well, I can open up the activity monitor. And I’m like, yeah, but, you know, there’s crypto miners that go to sleep when you open up the activity line for macOS, you know the program to do exactly that. So, you know, this is I mean, Apple have their own sort of built-In security tools, OK? But they leave a lot of gaps. And one of the main things that they don’t have is they don’t offer if you’re in it, if you’re an admin, they don’t offer you any visibility into what’s going on.

So I think you need some kind of software that’s going to be able to give you that visibility that you’re going to be able to easily look at. How is this machine different today than it was yesterday? What’s happened on this machine if you find, you know, some suspicious launch agent or something, where did it come from? How do I see what it’s connected to? So, you know, my main advice is that, I mean, there’s lots of solutions out there that can do this. And this is one of the things that, as I said earlier, I originally started out as a software developer. And this is one of the things that I developed. But the point is to ask yourself the question and then go find out the answer. How would I find out if my Mac had malware? That would be my first piece of advice. My second piece of advice would be to think about again, if you’re thinking more about it, teams and admins think about how do you control what your users do? Because almost all malware, 99 percent of it is coming through user interaction. Certainly, on the Mac, I can’t speak for other platforms, but on the Mac, you know, there might be some rare case where, you know, Apte actor steals your laptop and inserts something on the book, you know, on the logic board. But in reality, 99 percent of malware is coming through user interaction.

The user is downloading something, as you were talking about before, being convinced that they need some fake flash player update. So the question is, how can you want to see what users are doing and to how can you control them? And, you know, there’s various things you can do in terms of controlling devices. You can Apple have this MDM platform and there’s third party solutions like JAMF and Fleetsmith, where you can control various aspects of what users can change from a sort of admin perspective. And I think that’s, you know, certainly in an enterprise environment, I think that’s important. Of all of your security posture, because. The thing with Macs is that almost every user by default is an admin user, and as soon as you download something and run it as an admin user, if it’s not a sandbox stop, you know, from the App Store that. The process has an enormous power to do things without you knowing what it’s doing, so it comes back to what I was saying earlier about visibility, but also, you know, if you’re looking at it from a SOC or IT team. The perspective you really want to be thinking about how can you get some kind of control to stop people infecting themselves basically? And the last thing I would just say is I think this is a big one. And it comes back to where I started, I think is user education, because as I say, you know, Windows users have kind of got the idea that there are threats there, that they need to have Windows Defender running or whatever, you know, and I think Mac users haven’t got there yet.
I think there’s a very wide I see this even with, you know, some of the thought leaders or influencers on Twitter and various social media platforms. Now, they will argue that, oh, there’s no real malware for macOS. And, you know, nobody needs security software. And, you know, how would you know if you had some? So I think just this idea that you know, it’s not a myth anymore, that there is you can go on VirusTotal and just do you know, for those that have access to it, you can just do a search tag for Mac-O and just see how many new malware to going up on on a repository like VirusTotal every day. So, you know, people just need to be aware that, yeah, you can be safe if you are educated. As you say, there’s a lot of the adware and stuff that we see there is just manipulating users who, you know, just don’t know better. They trust stuff and they just need to know that, you know, the situation has changed. It’s not necessarily a trustworthy world out there.

Dave Bittner:
What are your thoughts as Apple has announced that they’re going to be shifting to arm chips, is do you have any is it a shift you’re you’re looking forward to? What do you think we’re in for?

Phil Stokes:
Yeah, I, I don’t know. Actually I am personally. I’m looking forward to it. As I told you, you know, I started off with Acorn Risk Machines and that’s basically where I am itself comes from.
So this is reduced instruction set, CPUs, Right. So as a reverse engineer, I’m absolutely. Yeah. Let’s you know, let’s go. This is great stuff. So great to get away from Intel. But I don’t know. I mean, you know, in terms of your listeners, I don’t know yet at this point. I think it’s too early to say what that will mean in terms of, you know, the security situation. It’s fairly clear with Big Sur and 10.16 Or 11, whichever they finally decide on, it’s fairly clear that there’s a lot more lockdown coming.
You know, they’re locking down the there’s COL integrity protection coming. They’re locking down the system volume so much now that you won’t even need five file volts on it.
So it’s clear that you know, Apple have got this whole concept, if you like, of philosophy about locking down the system and things like notarization that came in in 10.14, I think are all part of that. How that transitions into ARM kind of remains to be seen. Sorry, I could be much more informative at the moment, but we don’t have that much info on it. Yeah. So quite recently we saw one of the very few instances of ransomware on the Mac and it was kind of very unusual ransomware in the sense that it never really looked like the threat actors were that serious about making money and in fact, from our investigation, didn’t look like they made any money whatsoever. But the threat itself was interesting as a development because they actually included multiple different kind of capabilities. In fact, all the kind of capabilities that you typically associate with Windows malware. So there’s a back door in there. You know, there was spyware data, exfiltration stuff in there that was privileged escalation in there, as well as the actual ransomware component, you know, that got all the headlines. And that to me and and to my colleagues was something what struck us mostly about that was. Just how developed now these actors are becoming on the Mac platform, I mean, a few years ago.
Anything that you saw on a Mac was very poorly conceived and it was clear that the developers probably didn’t come from a Mac background. And I think now that that particular item was called EvitQuest or ThiefQuest, I think they was finally named. That particular piece of malware was clearly developed by people who were Mac developers. And the same story with the recent Lazarus. We did a post recently on four different families of Lazarus malware, and I think Kaspersky had done one on a framework as well a week before they attributed to Lazarus. And again, when you look at the code underneath, you know, from a reverse engineering standpoint, you can see that these are not developers from another platform are just trying to pull something over. You know, these are Mac developers. These are people that know Apple’s APIs and Apple’s coding languages inside out. And they’re using everything from basic C libraries to object to C to Swift and, you know, the whole gamut of things that are available for Mac developers. So this, again, is part of my perception that I think the whole malware scene on Mac is what we can see, that it has increased over the last few years. But I think it is developing as well. And as Apple develop their responses, it’s clear that there are teams, threat actors that are out there that are, you know, responding in kind. So I think this is a problem that, you know, it’s not going to go away with that with a quick solution from Apple changing, you know, some technology, their side. I think that the threat actors are heavily invested in the platform.

Dave Bittner:
Our thanks to Phil Stokes from SentinelOne for joining us. Don’t forget to sign up for the recorded future cyber daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. You can find that and recorded future dot com slash intel. We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The recorded Future Podcast Production Team includes coordinating producer Caitlin Madingley, executive producer Greg Barrett. The show is produced by The Cyber Wire with executive editor Peter Kilbey. And I’m Dave Bittner. Thanks for listening.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Better audio means a higher transcript accuracy rate. Lawyers need to transcribe their interviews, phone calls, and video recordings. Most choose Sonix as their speech-to-text technology. Automated transcription is getting more accurate with each passing day. Automated transcription is much more accurate if you upload high quality audio. Here’s how to capture high quality audio. More computing power makes audio-to-text faster and more efficient. Are you a podcaster looking for automated transcription? Sonix can help you better transcribe your podcast episodes. Sonix has the world’s best audio transcription platform with features focused on collaboration. Are you a radio station? Better transcribe your radio shows with Sonix.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2020—it’s fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.