Category Archives: News

Can Apple Macs get Viruses?

Read Time:6 Minute, 6 Second

It’s a long-standing question. Can Apple Macs get viruses?

While Apple does go to great lengths to keep all its devices safe, this doesn’t mean your Mac is immune to all computer viruses. So what does Apple provide in terms of antivirus protection? Let’s take a look along with some signs that your Mac may be hacked and how you can protect yourself from further threats beyond viruses, like identity theft.

Signs that your Mac may be hacked

Whether hackers physically sneak it onto your device or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, viruses and malware can create problems for you in a few ways:

Keylogging: In the hands of a hacker, keylogging works like a stalker by snooping information as you type.
Trojans: Trojans are type of malware that can be disguised in your computer to extract important data, such as credit card account details or personal information.
Cryptominers: Similar to trojans, this software hides on a device. From there, it harnesses the device’s computing power to “mine” cryptocurrencies. While cryptomining is not illegal, “cryptojacking” a device without the owner’s consent is most certainly illegal.

Some possible signs of hacking software on your Mac include:

Performance issues

Is your device operating more slowly, are web pages and apps harder to load, or does your battery never seem to keep a charge? These are all signs that you could have malware running in the background, zapping your device’s resources.

Your computer feels like it’s running hot

Like the performance issues above, malware or mining apps running in the background can burn extra computing power (and data). Aside from sapping performance, malware and mining apps can cause your computer to run hot or even overheat.

Mystery apps or data

If you find apps you haven’t downloaded, along with messages and emails that you didn’t send, that’s a red flag. A hacker may have hijacked your computer to send messages or to spread malware to your contacts. Similarly, if you see spikes in your data usage, that could be a sign of a hack as well.

Pop-ups or changes to your screen

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your computer may have been hacked.

What kind of antivirus do Macs have?

Macs contain several built-in features that help protect them from viruses:

XProtect and Automatic Quarantine: XProtect is Apple’s proprietary antivirus software that’s been included on all Macs since 2009. Functionally, it works the same as any other antivirus, where it scans files and apps for malware by referencing a database of known threats that Apple maintains and updates regularly. From there, suspicious files are quarantined by limiting their access to the Mac’s operating system and other key functions. However, .
Malware Removal Tool: To further keep Apple users protected, the Malware Removal Tool (MRT) scans Macs to spot and catch any malware that may have slipped past XProtect. Similar to XProtect, it relies on a set of constantly updated definitions that help identify potential malware. According to Apple, MRT removes malware upon receiving updated information, and it continues to check for infections on restart and login.
Notarization, Gatekeeper, and the App Review Process: Another way Apple keeps its users safe across MacOS and iOS devices is its Notarization Apps built to run on Apple devices go through an initial review before they can be distributed and sold outside of Apple’s App Store. When this review turns up no instances of malware, Apple issues a Notarization ticket. That ticket is recognized in another part of the MacOS, Gatekeeper, which verifies the ticket and allows the app to launch. Additionally, if a previously approved app is later to found to be malicious, Apple can revoke its Notarization and prevent it from running.

Similarly, all apps that wish to be sold on the Apple App Store must go through Apple’s App Review. While not strictly a review for malware, security matters are considered in the process. Per Apple, “We review all apps and app updates submitted to the App Store in an effort to determine whether they are reliable, perform as expected, respect user privacy, and are free of objectionable content.”

Further features: In addition to the above, Apple includes technologies that prevent malware from doing more harm, such as preventing damage to critical system files.

Do I need to purchase antivirus for my Mac?

There are a couple reasons why Mac users may want to consider additional protection in addition to the antivirus protection that Mac provides out of the box:

Apple’s antivirus may not recognize the latest threats. A component of strong antivirus protection is a current and comprehensive database of virus definitions. As noted above, , leaving Mac owners who solely rely on XProtect and other features susceptible to attack.
Apple’s built-in security measures for Macs largely focus on viruses and malware alone. While protecting yourself from viruses and malware is of utmost importance (and always will be), the reality is that antivirus is not enough. Enjoying the life online today means knowing your privacy and identity are protected as well.

In all, Macs are like any other connected device. They’re susceptible to threats and vulnerabilities as well. Looking more broadly, there’s the wider world of threats on the internet, such as phishing attacks, malicious links and downloads, prying eyes on public Wi-Fi, data breaches, identity theft, and so on. It’s for this reason Mac users may think about bolstering their defenses further with online protection software.

 Further protecting your Mac from viruses and attacks

Staying safer online follows a simple recipe:

Being aware of the threats that are out there.
Understanding where your gaps in protection are.
Taking steps to protecting yourself from those threats and closing any gaps as they arise.

Reading between the lines, that recipe can take a bit of work. However, comprehensive online protection can take care of it for you. In particular, McAfee Total Protection includes an exclusive Protection Score, which checks to see how safe you are online, identifies gaps, and then offers personalized guidance, and helping you know exactly how safe you are.

An important part of this score is privacy and security, which is backed by a VPN that turns on automatically when you’re on an unsecure network and personal information monitoring to help protect you from identity theft—good examples that illustrate how staying safe online requires more than just antivirus.

Consider your security options for your Mac

So, Macs can get viruses and are subject to threats just like any other computer. While Macs have strong protections built into them, they may not offer the full breadth of protection you want, particularly in terms of online identity theft and the ability to protect you from the latest malware threats. Consider the threats you want to keep clear of and then take a look at your options that’ll help keep you safe.

The post Can Apple Macs get Viruses? appeared first on McAfee Blog.

Read More

Can Apple Macs get Viruses?

Read Time:6 Minute, 6 Second

It’s a long-standing question. Can Apple Macs get viruses?

While Apple does go to great lengths to keep all its devices safe, this doesn’t mean your Mac is immune to all computer viruses. So what does Apple provide in terms of antivirus protection? Let’s take a look along with some signs that your Mac may be hacked and how you can protect yourself from further threats beyond viruses, like identity theft.

Signs that your Mac may be hacked

Whether hackers physically sneak it onto your device or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, viruses and malware can create problems for you in a few ways:

Keylogging: In the hands of a hacker, keylogging works like a stalker by snooping information as you type.
Trojans: Trojans are type of malware that can be disguised in your computer to extract important data, such as credit card account details or personal information.
Cryptominers: Similar to trojans, this software hides on a device. From there, it harnesses the device’s computing power to “mine” cryptocurrencies. While cryptomining is not illegal, “cryptojacking” a device without the owner’s consent is most certainly illegal.

Some possible signs of hacking software on your Mac include:

Performance issues

Is your device operating more slowly, are web pages and apps harder to load, or does your battery never seem to keep a charge? These are all signs that you could have malware running in the background, zapping your device’s resources.

Your computer feels like it’s running hot

Like the performance issues above, malware or mining apps running in the background can burn extra computing power (and data). Aside from sapping performance, malware and mining apps can cause your computer to run hot or even overheat.

Mystery apps or data

If you find apps you haven’t downloaded, along with messages and emails that you didn’t send, that’s a red flag. A hacker may have hijacked your computer to send messages or to spread malware to your contacts. Similarly, if you see spikes in your data usage, that could be a sign of a hack as well.

Pop-ups or changes to your screen

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your computer may have been hacked.

What kind of antivirus do Macs have?

Macs contain several built-in features that help protect them from viruses:

XProtect and Automatic Quarantine: XProtect is Apple’s proprietary antivirus software that’s been included on all Macs since 2009. Functionally, it works the same as any other antivirus, where it scans files and apps for malware by referencing a database of known threats that Apple maintains and updates regularly. From there, suspicious files are quarantined by limiting their access to the Mac’s operating system and other key functions. However, .
Malware Removal Tool: To further keep Apple users protected, the Malware Removal Tool (MRT) scans Macs to spot and catch any malware that may have slipped past XProtect. Similar to XProtect, it relies on a set of constantly updated definitions that help identify potential malware. According to Apple, MRT removes malware upon receiving updated information, and it continues to check for infections on restart and login.
Notarization, Gatekeeper, and the App Review Process: Another way Apple keeps its users safe across MacOS and iOS devices is its Notarization Apps built to run on Apple devices go through an initial review before they can be distributed and sold outside of Apple’s App Store. When this review turns up no instances of malware, Apple issues a Notarization ticket. That ticket is recognized in another part of the MacOS, Gatekeeper, which verifies the ticket and allows the app to launch. Additionally, if a previously approved app is later to found to be malicious, Apple can revoke its Notarization and prevent it from running.

Similarly, all apps that wish to be sold on the Apple App Store must go through Apple’s App Review. While not strictly a review for malware, security matters are considered in the process. Per Apple, “We review all apps and app updates submitted to the App Store in an effort to determine whether they are reliable, perform as expected, respect user privacy, and are free of objectionable content.”

Further features: In addition to the above, Apple includes technologies that prevent malware from doing more harm, such as preventing damage to critical system files.

Do I need to purchase antivirus for my Mac?

There are a couple reasons why Mac users may want to consider additional protection in addition to the antivirus protection that Mac provides out of the box:

Apple’s antivirus may not recognize the latest threats. A component of strong antivirus protection is a current and comprehensive database of virus definitions. As noted above, , leaving Mac owners who solely rely on XProtect and other features susceptible to attack.
Apple’s built-in security measures for Macs largely focus on viruses and malware alone. While protecting yourself from viruses and malware is of utmost importance (and always will be), the reality is that antivirus is not enough. Enjoying the life online today means knowing your privacy and identity are protected as well.

In all, Macs are like any other connected device. They’re susceptible to threats and vulnerabilities as well. Looking more broadly, there’s the wider world of threats on the internet, such as phishing attacks, malicious links and downloads, prying eyes on public Wi-Fi, data breaches, identity theft, and so on. It’s for this reason Mac users may think about bolstering their defenses further with online protection software.

 Further protecting your Mac from viruses and attacks

Staying safer online follows a simple recipe:

Being aware of the threats that are out there.
Understanding where your gaps in protection are.
Taking steps to protecting yourself from those threats and closing any gaps as they arise.

Reading between the lines, that recipe can take a bit of work. However, comprehensive online protection can take care of it for you. In particular, McAfee Total Protection includes an exclusive Protection Score, which checks to see how safe you are online, identifies gaps, and then offers personalized guidance, and helping you know exactly how safe you are.

An important part of this score is privacy and security, which is backed by a VPN that turns on automatically when you’re on an unsecure network and personal information monitoring to help protect you from identity theft—good examples that illustrate how staying safe online requires more than just antivirus.

Consider your security options for your Mac

So, Macs can get viruses and are subject to threats just like any other computer. While Macs have strong protections built into them, they may not offer the full breadth of protection you want, particularly in terms of online identity theft and the ability to protect you from the latest malware threats. Consider the threats you want to keep clear of and then take a look at your options that’ll help keep you safe.

The post Can Apple Macs get Viruses? appeared first on McAfee Blog.

Read More

Education sector hounded by cyberattacks in 2021

Read Time:39 Second

Education and research were the top targets for cyberattackers in 2021, with an average of 1605 attacks per organization per week, a 75% increase from 2020, according to research by Check Point Software Technologies.

Pandemic’s push for digital invites threats 

The COVID-19 pandemic has pushed staff in businesses and education to work from home. The resulting need for digital skills and online courses has boosted the digital education market, creating opportunities for study but also for cyberthreats.

A major shift to distance learning and the fact that online education organizations have a huge number of non-employees accessing their systems from remote locations widens the exposure, elevating risks, according to Omer Dembinsky, data research manager at Check Point.

To read this article in full, please click here

Read More

Education sector hounded by cyberattacks in 2021

Read Time:39 Second

Education and research were the top targets for cyberattackers in 2021, with an average of 1605 attacks per organization per week, a 75% increase from 2020, according to research by Check Point Software Technologies.

Pandemic’s push for digital invites threats 

The COVID-19 pandemic has pushed staff in businesses and education to work from home. The resulting need for digital skills and online courses has boosted the digital education market, creating opportunities for study but also for cyberthreats.

A major shift to distance learning and the fact that online education organizations have a huge number of non-employees accessing their systems from remote locations widens the exposure, elevating risks, according to Omer Dembinsky, data research manager at Check Point.

To read this article in full, please click here

Read More

Linux-Targeted Malware Increased by 35%

Read Time:48 Second

Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021:

Malware targeting Linux systems increased by 35% in 2021 compared to 2020.

XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021.

Ten times more Mozi malware samples were observed in 2021 compared to 2020.

Lots of details in the report.

News article:

The Crowdstrike findings aren’t surprising as they confirm an ongoing trend that emerged in previous years.

For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year.

In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms.

This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

Slashdot thread.

Read More

Linux-Targeted Malware Increased by 35%

Read Time:48 Second

Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021:

Malware targeting Linux systems increased by 35% in 2021 compared to 2020.

XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021.

Ten times more Mozi malware samples were observed in 2021 compared to 2020.

Lots of details in the report.

News article:

The Crowdstrike findings aren’t surprising as they confirm an ongoing trend that emerged in previous years.

For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year.

In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms.

This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

Slashdot thread.

Read More

High anxiety spreads among Russian criminal groups in wake of REvil raid

Read Time:27 Second

The crackdown on members of the REvil ransomware gang by agents of the Kremlin’s domestic security force January 14 is sending a wave of distress and dread through the Russian hacker underground, according to researchers at Trustwave’s SpiderLabs.

“What our researchers found was a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future,” Trustwave noted Friday in a company blog post.

To read this article in full, please click here

Read More

High anxiety spreads among Russian criminal groups in wake of REvil raid

Read Time:27 Second

The crackdown on members of the REvil ransomware gang by agents of the Kremlin’s domestic security force January 14 is sending a wave of distress and dread through the Russian hacker underground, according to researchers at Trustwave’s SpiderLabs.

“What our researchers found was a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future,” Trustwave noted Friday in a company blog post.

To read this article in full, please click here

Read More

Stories from the SOC – Inactive Account Exploitation

Read Time:3 Minute, 41 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

One of the primary ways that adversaries gain access to environments is through valid credentials. Because of this, maintenance and auditing of user accounts is an integral part of maintaining a good security posture. When an employee leaves a company or organization, it is important that all associated accounts be removed and permissions revoked. If these accounts are not removed, they are a potential avenue for attackers to enter a network. Attackers often leverage compromised accounts to gain a foothold in an organization’s environment and move across the network, while remaining hidden. Upon entry, threat actors can elevateuser privileges and cause serious harm to the organization such as sabotaging critical infrastructure or exfiltrating confidential or intellectual property.

The AT&T Managed Threat Detection and Response (MTDR) SOC analyst team received an alarm for a successful logon to Office 365 from a foreign location for a customer. After investigating, we discovered the account belong to an ex-employee of that organization that was not properly deactivated. An attacker was able to exploit this vulnerability and gain access to the account through brute force from sources all over the world.  The team quickly reacted to the threat and assisted the customer in containing it while mitigating follow-on actions.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered from a custom rule alerting the MTDR analysts that the customer had a user successfully log-in to Office365 from a foreign country. Custom alarms can be created by the MTDR team and are tailored specifically to customer requests. These custom alarms can improve early warning signs of a potential attack specific to the customer’s environment.

Expanded investigation

Events search

A review of the event log indicated that the user successfully logged in from a foreign country. While this may not seem suspicious, it’s not often we observe logins from different parts of the world for this customer. With the adoption of work-from-home environments across many organizations, it’s almost every day we see foreign or multiple source country logins. However, regardless of how routine this seems, it is critical that security professionals perform their due diligence with this type of activity. To rule out the possibility of a compromised account, the team broadened their investigation to gather more information.

Event deep dive

Depending on the designed MTDR rule, any outside location will be considered an anomaly. Upon further review of the user’s history, the team discovered there was no activity within the last 90 days. No activity for short periods of time is not necessarily abnormal, but it was suspicious for a user to have absolutely zero activity for 90 days, only to log back in from multiple countries. In fact, we found that almost 1,000 failed login attempts from malicious IP addresses from 49 countries were made against the user’s account.

 Reviewing for additional indicators

Shortly after gaining access to the account, the attackers pivoted to the user’s personal SharePoint, but it did not appear that the attackers were able to gain access to anything confidential. Additionally, there was no evidence that attackers were able to move laterally in the network, escalate privileges, or gain access to other confidential or sensitive information beyond the initial access.

Response

Building the Investigation

With all the evidence gathered, it was critical that we contact the customer as soon as possible. We quickly assembled the investigation and reached out to the customer.

Shortly after contacting the customer, the SOC observed the attacker gaining access from another country. This new evidence suggests that the attacker was attempting to escalate and we needed to work quickly with the customer to contain the threat and prevent any potential lateral movement.

Customer interaction

The customer was able to revoke the credentials and disable the user account, and confirmed the targeted user was a former employee of the organization. This confirmation from the customer only added more validity to our concerns when we previously observed blank activity for 90 days from the user. While the attack did not escalate any further, this highlights the importance of maintaining and auditing the users in your environment.

Read More

Stories from the SOC – Inactive Account Exploitation

Read Time:3 Minute, 41 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

One of the primary ways that adversaries gain access to environments is through valid credentials. Because of this, maintenance and auditing of user accounts is an integral part of maintaining a good security posture. When an employee leaves a company or organization, it is important that all associated accounts be removed and permissions revoked. If these accounts are not removed, they are a potential avenue for attackers to enter a network. Attackers often leverage compromised accounts to gain a foothold in an organization’s environment and move across the network, while remaining hidden. Upon entry, threat actors can elevateuser privileges and cause serious harm to the organization such as sabotaging critical infrastructure or exfiltrating confidential or intellectual property.

The AT&T Managed Threat Detection and Response (MTDR) SOC analyst team received an alarm for a successful logon to Office 365 from a foreign location for a customer. After investigating, we discovered the account belong to an ex-employee of that organization that was not properly deactivated. An attacker was able to exploit this vulnerability and gain access to the account through brute force from sources all over the world.  The team quickly reacted to the threat and assisted the customer in containing it while mitigating follow-on actions.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered from a custom rule alerting the MTDR analysts that the customer had a user successfully log-in to Office365 from a foreign country. Custom alarms can be created by the MTDR team and are tailored specifically to customer requests. These custom alarms can improve early warning signs of a potential attack specific to the customer’s environment.

Expanded investigation

Events search

A review of the event log indicated that the user successfully logged in from a foreign country. While this may not seem suspicious, it’s not often we observe logins from different parts of the world for this customer. With the adoption of work-from-home environments across many organizations, it’s almost every day we see foreign or multiple source country logins. However, regardless of how routine this seems, it is critical that security professionals perform their due diligence with this type of activity. To rule out the possibility of a compromised account, the team broadened their investigation to gather more information.

Event deep dive

Depending on the designed MTDR rule, any outside location will be considered an anomaly. Upon further review of the user’s history, the team discovered there was no activity within the last 90 days. No activity for short periods of time is not necessarily abnormal, but it was suspicious for a user to have absolutely zero activity for 90 days, only to log back in from multiple countries. In fact, we found that almost 1,000 failed login attempts from malicious IP addresses from 49 countries were made against the user’s account.

 Reviewing for additional indicators

Shortly after gaining access to the account, the attackers pivoted to the user’s personal SharePoint, but it did not appear that the attackers were able to gain access to anything confidential. Additionally, there was no evidence that attackers were able to move laterally in the network, escalate privileges, or gain access to other confidential or sensitive information beyond the initial access.

Response

Building the Investigation

With all the evidence gathered, it was critical that we contact the customer as soon as possible. We quickly assembled the investigation and reached out to the customer.

Shortly after contacting the customer, the SOC observed the attacker gaining access from another country. This new evidence suggests that the attacker was attempting to escalate and we needed to work quickly with the customer to contain the threat and prevent any potential lateral movement.

Customer interaction

The customer was able to revoke the credentials and disable the user account, and confirmed the targeted user was a former employee of the organization. This confirmation from the customer only added more validity to our concerns when we previously observed blank activity for 90 days from the user. While the attack did not escalate any further, this highlights the importance of maintaining and auditing the users in your environment.

Read More