Checklist 17: 2016 Mac Security Year In Review
2016 has been a pretty wild ride overall, and there’s been no shortage of news stories vying for our attention. With 2017 on the horizon, it’s a good time to look back on some of the important Mac security issues that defined 2016. The past year has seen threats new and old targeting Mac users, but it has also seen some significant progress from Apple when it comes to security. Here are some of the top Mac security stories that you might have missed over the bumpy ride of the past year:
- Ransomware started targeting macOS.
- Mac adware is here to stay, and it’s gotten sneakier.
- Trojans and spyware and backdoors, oh my!
- Apple’s bug bounty program.
- FileVault password bypass and security going forward.
2016 definitely saw some of the same things as previous years — the sky is blue, water is wet, and adware is still targeting Mac users. Some things, however, were a bit different:
Ransomware started targeting macOS. We’ve covered ransomware before, and it’s nothing new — it’s been targeting Windows users for years. One thing that was new in 2016, however, was that ransomware started targeting Mac users in early March and again in late August.
A refresher on what ransomware does: After infecting a computer, ransomware “locks” important documents and files by encrypting them. The user is then alerted that their files are being held ransom, and the attacker will only provide the decryption key if they pay a ransom (usually in a hard-to-trace cryptocurrency such as Bitcoin). With a properly-implemented encryption algorithm, it’s almost impossible to unlock the files without the decryption key. Generally, the attacker will provide a short window (typically three days) during which the infected user can pay the ransom. After the time is up, the attacker will throw away the decryption key and the files will be locked forever.
Two different ransomware attacks, about six months apart, took aim at Mac users looking to download the Transmission BitTorrent client. These attacks were unique for a few different reasons:
First, this reflected the first widespread ransomware attack targeting Mac users. Previously, there had been some proof-of-concept ransomware, but nothing serious had appeared in the wild prior to KeRanger and Keydnap. Second, the malware targeted users looking to download the Transmission app directly from the developer’s website, something that is normally safe to do. Third, the attackers were able to compromise Transmission’s official download server not only once, but twice, showing that the Transmission developers may not have fully locked down their servers after the initial attack.
Luckily, both attacks were spotted quickly, which limited the number of users that were exposed to this ransomware.
Mac adware is here to stay, and it’s gotten sneakier. Adware targeting Mac users is nothing new, but 2016 saw some new developments in how it tried to trick Mac users into installing it, as well as showing more resistance to typical removal steps.
In mid-March, typosquatters set up a large number of domains ending in “.om” instead of “.com” to try and catch people who made a small typo when trying to visit popular sites such as Gmail, Macy’s, and Citibank. Mac users who stumbled on the fake sites were prompted to download a “Flash Player Update” which of course contained some well-known Mac adware instead.
In early November, adware peddlers bought a number of ads to appear at the top of the results list when users searched for “Google Chrome.” The download link appeared to be legitimate, but Mac users who clicked the link ended up downloading adware instead. Once installed, the adware opened a scareware page that tried to trick Mac users into thinking they were infected (with something other than the adware itself), which led to fake cleanup apps that wanted payment in exchange for “fixing” the non-existent issues.
2016 also saw a brand new piece of adware targeting Macs with the emergence of Pirrit in early April. Pirrit had previously targeted Microsoft Windows, but proved to be a considerable nuisance for infected Mac users. Pirrit creates a hidden user account on infected systems running macOS, and sets up a local proxy server to inject ads into webpages. While annoying and more difficult to remove than other adware targeting Macs, it could have been much worse — with it’s complete control over the system, Pirrit could just have easily installed keyloggers or stolen personal data.
There were also new variants of previously-known Mac adware detected in the wild, some of which used encryption and code obfuscation to try and hide their bad behavior from malware researchers.
Trojans and spyware and backdoors, oh my! Ransomware and adware weren’t the only threats targeting Mac users in 2016, which also saw its fair share of other threats, both new and old.
OceanLotus, a previously overlooked Mac threat, made the news in mid-February when it was “re-discovered.” It turns out the threat had been identified by a Chinese security firm back in 2015, but because their original research paper was published in Chinese, it flew right over the heads of Mac security vendors. OceanLotus was a part of a targeted attack, so the majority of Mac users thankfully avoided infection before it was rediscovered.
The Eleanor trojan came disguised as an app called “EasyDoc Converter” in early July, and had apparently been available for quite some time before that on popular Mac download sites. Instead of converting documents, the malware took complete control of infected systems, pilfering data, accessing the webcam, and installing a backdoor component.
Mokes, a cross-platform backdoor, was discovered in early September. This particular backdoor was able to steal data, capture screenshots and keystrokes, and execute arbitrary commands on infected systems.
Another trojan horse appeared in late September. Disguised as a pdf document, the Komplex trojan arrived by way of phishing e-mails that appeared to target aerospace agencies. Most likely the goal of this targeted attack was exfiltration of sensitive data.
While some of these trojan horses were clearly part of some specifically targeted attacks, and thus less likely to affect the average Mac user, some were not so discriminating, and showed once again that even trusted Mac download sites can be unwitting distributors of malware.
Apple’s bug bounty program. In early August, Apple finally joined the ranks of companies offering bug bounty programs. Microsoft, Facebook, Google, and other companies with bug bounty programs offer rewards for identifying security flaws in their apps and systems.
Bug bounty programs have strict rules when it comes to getting a payout. Security researchers must keep their findings private, and provide the company with a specific set of steps needed to exploit a given vulnerability, including proof-of-concept code. The security researcher can’t “double-dip” and sell details of the exploit to a third-party exploit vendor as well as submitting it to a company’s bug bounty program. Companies usually request time to patch the bug, which can take months depending on the severity of the bug. The security researcher cannot publicly disclose their findings until after the bug has been patched.
Apple had long held out on offering such a program, which resulted in security researchers and hackers alike frequently selling discovered exploits to third parties — who don’t necessarily have user security in mind. Apple’s bug bounty program is unique in that it’s invite-only — so for now only an exclusive list of Mac security researchers are able to cash in on their discoveries.
FileVault password bypass and security going forward. The end of the year didn’t pull any punches when it came to Mac security. In mid-December, it was revealed that Apple’s recent release of macOS 10.12.2 patched an incredibly severe security hole. A security flaw present in macOS Sierra 10.12.1 allowed an attacker to obtain a user’s FileVault password.
The attacker needed physical access to the target machine, as well as a $300 Thunderbolt device. When plugged into a locked or sleeping Mac, the device checked specific memory locations where the FileVault password was temporarily stored in plaintext (rather than in an encrypted format). In a demonstration video, the security researcher who discovered the attack was able to retrieve the password from a locked Mac in under 30 seconds. In this case, the security researcher who discovered the vulnerability did the right thing and reported it to Apple to patch, and didn’t release details on the exploit until after Apple had a chance to fix the bug.
Throughout 2016, Apple released numerous updates and security patches, showing that they’re doing their best to stay on top of security issues before they can affect end users. However, it’s important to note that users need to be proactive in installing these updates and patches in order to stay protected! 2016 showed that malware authors were trying new techniques to infect Mac users, and we’re sure to see more of the same in 2017.
That wraps things up for this episode! If you’d like more information on the topic we covered today, or if there’s a specific topic you’d like to see featured on a future episode, send us an e-mail at checklist@securemac.com!