Historically Windows has been the favorite target of cybercriminals, but new research from Accenture suggests macOS is becoming a lucrative priority on the dark web and information on exploits is being traded for millions of dollars.
The Accenture Cyber Threat Intelligence (ACTI) team has noted a significant upward trend in dark-web threat actors targeting macOS from 2019 to 2022 and the volume from 2023 has overtaken 2022 in just the first six months.
In December 2022, one threat actor offered up to $500,000 for a macOS Gatekeeper bypass, or any zero-day or one-day exploit affecting TCC (Transparency, Consent and Control).
“Historically, dark web cyber criminals have focused their efforts on Windows,” writes Robert Boyce, managing director global cyber response and transformation services lead at Accenture, on the company’s blog. “Previous macOS-related activity has been limited in scope owing to the comparatively smaller role played by macOS in enterprise infrastructure globally and the more advanced and niche skills required to target the Apple operating system. Yet, in 2022 and the first half of 2023 macOS-targeting activity has intensified.”
Increased criminal interest in targeting macOS operating system comes as enterprise adoption of macOS is rising. A survey by Jamf in 2020, showed the percentage of enterprise organizations that reported using Mac as their primary device increased to 23 percent, up from 17 percent in 2019.
A small number of threat actors have emerged as go-to vendors for macOS-related tools. These include the ability to create Apple Enterprise Certificates to bypass macOS Gatekeeper and the sale of macOS Hidden Virtual Network Computing (hVNC) malware. The LockBit 3.0 ransomware group is also known to be developing a macOS-focused version of its ransomware.
Boyce concludes, “Risks are increasing, especially in the first wave of attacks as end users and security teams need to adjust to a new and changing threatscape. The dark web acts as an excellent bellwether for upcoming cybersecurity threats and monitoring of closed communities and reputable actors suggests these threats are not going away. Monitoring of dark web sources to obtain threat intelligence on the latest tactics, techniques, and procedures concerning threats to macOS could help to get ahead of the latest threats in this sphere.”
You can read more on the Accenture blog.
Photo Credit: Jirsak/Shutterstock