Apple at work: navigating the evolving threat landscape in macOS

Michael Covington at Jamf explores the security pros and cons of Apple devices

 

In recent years, Apple devices have experienced a significant rise to workplace prominence, with research by IDC in 2H’23  forecasting that the number of Macs sold to business users worldwide will jump by 20% between 2023 and 2024.

 

Firms are often attracted by Apple’s image as a more secure option than Microsoft, but whilst Macs have historically been lauded for their robust security and privacy measures, this reputation has led to a dangerous misconception. 

 

For employees, particularly younger generations, working with Apple-centric IT infrastructure at work feels normal. In their eyes, Apple offers a sense of familiarity that encourages a more productive work environment. With nearly 90% of Gen Z owning an iPhone and 88% wishing for it to be their next phone, Apple’s integrated ecosystem of hardware, software and services makes it natural for these newly minted workers to seek workplaces that support their choice in work platforms, and Apple is clearly in the lead.

 

Many users still believe macOS to be inherently the safest operating system, a view that overlooks the dynamic nature of today’s threat landscape. Despite macOS’s advanced security features, modern threats employed by cyber-criminals are sophisticated enough to bypass or even exploit these protections. Adversaries can also combine multiple attacks to inflict meaningful damage to both the individual and the organisation. 

 

Hence companies should not fall prey to misconceptions and have robust security measures in place to combat modern macOS threats.

 

The importance of mobility in the modern workplace

In many sectors, mobile technology adoption marked the beginning of workplace innovation. Apple, leading in mobility solutions, has seen notable success in smartphones and tablets within the workplace. According to research there was a 76% increase in the number of Apple devices in the workplace in 2020-2021 alone.

 

The popularity of these devices is also on the rise, bolstered by employee ’choice’ programmes. Apple’s tightly controlled ecosystem offers significant management benefits over Android’s more open system, which can pose challenges with delivering a consistent experience to foster productivity, as well as a secure foundation that is appropriate for work. 

 

Threat actors have long concentrated their efforts on Windows systems, with the larger adoption of products built around Microsoft’s long-standing operating system meaning more targets. However, the growing preference for Apple in corporate settings is accelerating the evolution of a macOS-focused threat landscape, with more adversaries turning their attention towards Apple’s systems.

 

Rise in macOS attack techniques

As organisations rapidly adopt modern devices like those running macOS and iOS, there is often a crucial lack of robust security measures. This gap in security awareness has led to a surge in sophisticated attack techniques, including ransomware, cryptojacking, and exploitation of zero-day vulnerabilities.

 

The Apple community has historically been very confident, stemming from the limited attacks that target macOS thanks to strong privacy measures and a relatively smaller user base. But this status quo is likely to be challenged by the emergence of LockBit macOS ransomware and other forms of more sophisticated malware. This emerging ransomware operation highlights the growing risks towards the Mac ecosystem, and that major ransomware groups are now looking to develop techniques which breach Apple devices.

 

Alongside this, cryptojacking, particularly on macOS, is becoming more common, exploiting the processing power of devices for large-scale crypto mining. The evolution of Apple’s ARM processors could further heighten their appeal to attackers. 

 

For example, we found a cryptojacking malware which masqueraded itself as Final Cut Pro and secretly ran XMRig, a command-line crypto-mining too, in the background. One notable feature of this malware is its use of the Invisible Internet Project (i2p) for communication, providing anonymity and making it harder to detect. This attack causes the user’s computer to slow down significantly and impact the device’s life span causing the companies to operate at a slower pace. 

 

Modern spyware, exploiting zero-click attacks, is another growing concern. The sophistication of commercial spyware makes it possible to target users on both new and old devices. The high operational costs of these spyware attacks imply that individuals and organisations with access to sensitive data on mobile devices must adopt a layered defence approach to mitigate these risks. Zero-day exploits allow adversaries to control machines and even bring them to a standstill. These attacks can hinder with the organisation’s as well as an employee’s productivity.

 

Targeted by well-funded malicious actors

The threat actors targeting Apple devices is evolving rapidly, with several groups deploying sophisticated tactics. The threat labelled JokerSpy threat, for instance, ingeniously bypassed macOS security protocols, deploying a Python backdoor to facilitate system control and data extraction, revealed the use of complex backdoors and macOS tools.

 

Furthermore, the discovery of the RustBucket malware, associated with North Korea’s BlueNoroff group, a sub-unit of the notorious Lazarus Group, exemplifies the advanced strategies employed by state-sponsored actors. They utilise social engineering and advanced malicious tooling, targeting companies and individuals involved with cryptocurrency.

 

Another alarming development is the emergence of MacStealer, a new malware variant distributed via the dark web. This malware is specifically engineered to target macOS systems, including those running on Intel, M1, and M2 CPUs. Its capabilities include extracting files, browser cookies, login information, passwords, and credit card data from popular browsers. With its ability to target recent macOS versions, MacStealer represents a significant threat, likely to see increased use due to its effectiveness and growing demand among cyber-criminals.

 

This expanding threat landscape underlines the critical need for enhanced security measures for the devices. With the rise of sophisticated cyber-attacks, particularly against businesses, the need for robust security on Apple devices is paramount. The growing demand for these devices in professional settings, coupled with their vulnerability to attacks like ransomware, highlights the urgency of enhanced security measures beyond Apple’s own protections.

 

Tools and best practices for securing Apple devices 

The macOS Security Compliance Project (mSCP) is an excellent resource for organisations using macOS for critical applications and workers. The project helps organisations align their Apple device settings with key industry recommendations – like the CIS Benchmarks – helping to ensure comprehensive security across all modern devices. Mobile Device Management (MDM) systems are key in scaling this process, enabling efficient configuration of multiple devices and automating setup to minimise errors and speed up deployment.

 

Continuous monitoring and auditing are crucial for maintaining these standards. Combined with MDM and endpoint security tools, regular device audits ensure ongoing compliance and facilitate automated remediation for non-compliant devices.

 

Implementing endpoint protection to defend against threats actively adds another layer of security. A multi-layered defence strategy is important, focusing on device protection while enhancing the user experience and integration with other tools.

 

Finally, adopt a holistic approach. Security shouldn’t just be about devices; it involves understanding the interaction between devices, users, and business applications. Employing a zero-trust strategy, which restricts access to business data to authorised, secure devices, transforms workplace modernisation into a comprehensive security overhaul, making security a fundamental aspect of the organisational culture.

 

With the rapidly evolving cyber-security domain and increased adoption of Apple devices in workplaces, organisations must prioritise robust and modernised endpoint protection and adopt a layered defence strategy, incorporating tools like the macOS Security Compliance Project and Mobile Device Management. An approach that combines device security with a zero-trust strategy is crucial to protect not only the devices but also the sensitive data they access, making security an integral part of the company’s culture.

 

---

 

Michael Covington is VP of Strategy at Jamf

 

Main image courtesy of iStockPhoto.com