New Mac Malware Delivered in Watering-Hole Attacks

New Mac Malware Delivered in Watering-Hole Attacks
A watering-hole attack leveraged a now-patched Apple vulnerability to infect website visitors with novel Mac malware.
November 12, 2021
https://duo.com/decipher/new-mac-malware-delivered-in-watering-hole-attacks

Google Threat Analysis Group (TAG): Analyzing a watering hole campaign using macOS exploits

 

Here we go again, you macOS fanboys can keep saying that macOS is way more secure than Windows, but I'm not buying it. This seems to be another major hole in both Safari and the macOS kernel, and apparently built-in security did nothing to stop the backdoor malware from running. Keep in mind, this is not just theory, it actually happened.

At least on Windows you got tons of anti-malware tools to choose from. I would like to see more mitigation tools for Macs, because this stays the most important. Who knows how many more ''zero days'' there are out there for both macOS and Windows. Of course it's possible that third party AV's would have blocked this malware and the attack also didn't work on macOS Big Sur, even without a patch.

 

The vulnerability is now patched though.

 

Ah yes.

MacOS: Runs on the secure ARM architecture, sandboxes everything to some degree, and heavily sandboxes programs from the Store.
Windows: Runs on the insecure x86 architecture, sandboxes almost nothing and the Store is a huge failure.

As far as computers sold in stores are concerned, MacOS is second only to Chrome OS where absolutely everything is sandboxed and Guest Mode in particular is a fortress.

 

I think Safari is probably the safest browser at the moment. It scores higher than Firefox, Vivaldi and Chrome on BrowserAudit for me. It has inbuilt tracking prevention amongst other things.



Together with something like AdBlock Pro it's pretty secure.

 

Yes correct, the Safari hole was already patched in Januari 2021, but the macOS kernel hole was a zero day. The problem is that patching won't protect against zero days obviously. So mitigation tools stay the most important. On Windows I could have easily tackled such an attack.

For example, let's say that Win Defender failed to spot the payload, which in this case was a backdoor but could have also been ransomware, then there are plenty of other tools like OSArmor, SpyShelter and Sandboxie to save the day.

I would like to see more of these type of tools for the macOS, because it's obvious that built-in security isn't always good enough. BTW, perhaps a firewall like Little Snitch would have also helped, but it depends on the type of backdoor, because more advanced ones will try to bypass the firewall.

I wouldn't rely on BrowserAudit too much, because it doesn't say anything about remote code execution attacks and quality of the built-in browser sandboxes.

 

This is cool and all, but did it help to stop this attack? No it didn't, so it's not relevant. The only way to settle this discussion once and for all is to have hackers look for zero day remote code execution holes on both the macOS and Windows and to see how many they are able to find in one year.

Let's say they find 20 in Windows and only 5 in macOS, only then you could say it's more secure. Of course they should also look for zero days in Safari and Edge since browsers are the main entry point for these type of attacks, especially when it comes to hacking home users.

I can just see these people surfing the web with Safari which runs on the super duper secure macOS, thinking that such an attack isn't possible, and by simply visiting a website they got hit with a backdoor. And built-in protection tools like XProtect and GateKeeper didn't help, at least not on macOS Catalina and Mojave. That's why it's important to make people aware of this type of stuff, and not to simply dismiss it as FUD.

 

Mac OS has a firewall, although most macOS users don't activate it. I have a perfectly good router firewall. I'm totally confidant in both of my Mac's abilities to protect themselves from most real life malware. Either way, macOS, Ubuntu and Chrome OS are still far safer than anything Windows. I just don't believe the innately insecure Windows would have fared any better. More mitigation tools just aren't necessary on Unix in real world situations. I've not needed them in all the years I've run Unix operating systems.

Melionix put this better than I can:

"MacOS: Runs on the secure ARM architecture, sandboxes everything to some degree, and heavily sandboxes programs from the Store.
Windows: Runs on the insecure x86 architecture, sandboxes almost nothing and the Store is a huge failure."

Windows architecture just isn't secure. Again, Safari still scores highest on BrowserAudit for me, closely followed by Firefox. Chrome/Bugvaldi coming in joint last. That tells me Safari is slightly more secure than the others. Albeit not by much. As you don't run anything Unix, especially macOS, I'm unsure why any Unix vulnerabilities detected in extant systems are of interest. All systems can have zero day attacks. Just because there are occasional discovered ones on Unix platforms doesn't mean they are as vulnerable as Windows.

 

Nothing is invulnerable to malware. Nothing. Not even Qubes OS.

However, Windows sadly is trash. If nothing else the legacy code makes sure it stays trash.

This is coming from a Windows 10 user, that really doesn't want to use anything but Windows. But the sad reality is that the fact that programs from 10 years ago need to work on the latest software means MacOS and ChromeOS will always be ahead, as they don't have the same importance in the corporate industry. Also, people would rage if their games on Windows 11 stopped working.

 

I already explained that with the right (third party) mitigation tools, Windows would have fared better, especially since Win Defender has been improved a lot, it's now capable to tackle even more advanced attacks. If you don't believe this, then I'm afraid you just don't have enough knowledge about this subject, no offence. With that I mean, mitigation tools on Windows are really quite advanced. Also, a router won't block outgoing connections, it's not the same as a software based firewall.

I already explained, BrowserAudit is not relevant when it comes to drive by attacks, what this topic is about. And I believe security issues on all operating systems are of interest, no matter if I'm using them or not. If this was about the Qubes OS I would have also reacted.

The point is, I think it's amusing to see that the same type of hacks that Windows got hammered for in the last 20 years or so, are now also being found on the macOS, which was supposed to be way more secure, yeah right. But now that macOS is getting more popular, hackers are taking notice, so I expect to see more of these kind of hacks. And if I ever switch to macOS, I sure as hell won't rely on built-in security.

 

I don't see how Windows is trash. I haven't actually been infected on a Windows machine in the last 20 years or so. That doesn't mean I'm not aware of the risks. The only reason why macOS is conceived to be more secure, is because of its smaller market share, so it's way less attractive to hackers.

Also, don't forget that on all major hacking events, Safari and macOS got hacked succesfully, similar to Windows and Chrome. That's how I personally measure OS security, so you guys can keep repeating that macOS is not as vulnerable as Windows but until this is confirmed by security experts who actually know how to find zero days and can actually exploit them, it's merely an opinion and not a fact, nothing more and nothing less.

 

Yeah, but I don't believe anything you say or claim. Unix, particularly macOS, is still safer. Just not invulnerable. All I have on Ubuntu, macOS and Chrome OS is browser hardening behind a router firewall. In the real world it's all people like me need. Unix will always be more secure than Windows by design. Obviously I'm too stupid to know any better. Funny though, after nearly a decade running Unix I've never had one infection or instance of malware.