Apple Apathy Vector – Spectral Blur
Share
Yooooooooo...Hello all my Attack Vector Avengers! Hopefully the new year has not brought upon you any malicious maladies that your team could not handle! 2024 has been heralded as a growth year for many industries...Electric vehicles are picking up, stock market is pushing northward from it all time highs, and...hackers are increasing their attacks against Macs more and more.
It is estimated that in 2019 there were around 200 active threat actors attacking the venerable MacOS...in 2023 that number grew to well over 2,200 active threat actors focusing on the MacOS. That's more than a tenfold increase! 10X!!!!! ITs definitely something to start worrying about!
Why Macs you say? Well because since time began, Mac enthusiasts have bragged loudly that the Mac is an impenetrable tank! Its impossible to hack a Mac! Macs does not need anti-malware because its the most amazing thing since sliced bread. Macs are God sent through his prophet Steve Jobs and not even Satan himself can break the security of a Mac...
Hahahahahahahahahaajajajajajajajajajajajalololololol!!!! (**Laughs in DefCon**)
Lets clear up the first issue here. If it runs code, its susceptible to attacks. Period. End of story. There is no perfect system (although the Amiga comes close...RIP Jay Miner, you are sorely missed!)...There is no silver bullet. There is nothing that should be run outside the auspices of some form of malware protection.
Why are there no perfect systems might ask? I can try and sell you on a multitude of ideas, but at the end of the day we can wrap it all up in that humans are fallible...and humans are programming these solutions...on top of that, humans make more mistakes when pushing out commercial products with tight deadlines. On top of all that...Business has this odd paradigm that "80% is good enough for production"...I have heard variants of this saying "perfection is the enemy of progress", or "we don't need lipstick on this pig"...or <insert your favorite line that a middle manager has hit you with to push an unfinished product out the door here>!!!
This latest attack vector is a backdoor referred to as "Spectral Blur". What do we know so far as this is a breaking development?
We know Spectral Blur (SB) can upload/download files, run a shell, update its configuration (oh snap!), delete files, hibernate, or sleep based on commands from its dear leader (the command and control server). See what I did there? Lol
What makes this even more interesting is that it shares numerous similarities with Kandykorn/SockRocket, RustBucket, and ObjCShell. In English, this means that this group is utilizing knowledge gleamed from previous successful attack vectors and is building highly sophisticated tools using the best parts of previous hacks! Taking a step further, this is a job for a group of people and there are only a few organizations coordinated enough with enough resources to handle this level of work...training the next generation and building a rather sophisticated pipeline to fine tune their hacking work. This is not Anonymous/Anon...this is most likely a state funded group like Lazarus or BlueNoroff.
Lets revisit the "Why Macs?" Answer from above...Not only have generations of Mac enthusiasts happily drunk massive amount of the "impenetrable mac" Kool-Aid (c), but Macs are the systems you see in the hands of high value targets like the C-Suite. They are in artists hands as well, but I don't think North Korea wants access to Adobe files...So they are coming for the bosses! The big wigs the ones who have a penchant for strong arming their IT teams to allow them unfettered admin access to their Macs citing the myth of being impenetrable as their main justification.
What this all leads to is that we have a state sponsored, highly organized group of accomplished malware authors who are coming for the C-suite. So how do we protect ourselves? Simple...we have plan to layer in defense on our Macs just like we do our webservers...here are a few tips!
- Two layers of anti-malware. I normally put something on the end point (i.e. laptops, computers, phone, <insert anything that has access to your systems here>)...as well as something inline like a firewall product or some type of SIEM.
- Don't allow people admin to their machines, especially leadership. You can set up software repositories easily through a slew of MDM software out there...Intune, Jamf, Whatever.
- Use VPN's for access while traveling...This one should be self evident as to why!
- Proper education on how to spot common attack vectors...monthly security newsletters at the minimum. (Shameless plug: ProzessTec has a monthly security newsletter offering for their clients at a laughably low cost, contact us! This helps with cybersecurity insurance as well!)
- PoLP: Principle of Least Privilege...don't give more access than needed. If a C-Level suite is not accessing your internal systems and only using email and PowerPoint (as most C-suites should), then don't give them access! You wouldn't give an intern a key and codes to the data center, why would you give anyone access to something they don't need? In fact, even in IT..if you were an engineer and then were promoted to manager...don't keep your engineering keys! You have to manage people now and you don't need your SSH keys for the firewall anymore.
- Geo-fence your logins. If your business is America based with no travelers, why do you need to allow any authentication from outside the country!
There's a million different little fixes you can make that will help protect you, with the specific tools needed will vary by site. You might be more SaaS oriented or old school on prem server oriented and the tools you use have to match the business needs...there is no one size fits all yet, and you need a trusted advisor to help you figure it all out...if you don't have one, please feel free to reach out to ProzessTec.
Thank you for taking the time to read through all that, and as always, please reach out with any questions or clarifications!
Till Next time!
Contact Us to learn how we can help you!