Infostealer malware targeting macOS enters the top 10 threats
The latest threat detection data from Red Canary shows that Atomic Stealer -- an infostealer that targets credentials, payment card data, keychain details, and cryptocurrency wallet information on macOS devices -- has entered the top 10 threats.
Other notable appearances include Scarlet Goldfinch -- an 'activity cluster' that uses fake browser updates to trick users into downloading a legitimate remote management and monitoring tool that can be abused to deploy malicious software -- and ChromeLoader -- a malicious browser extension that reads and hijacks browser traffic to redirect it to specific sites, likely to conduct pay-per-click advertising fraud.
Within the top ten threats, there is a continued trend away from email toward web-based delivery mechanisms, which account for six of those on the list. This indicates that efforts to lock down emails and make it more difficult for adversaries to insert malicious payloads into documents are continuing to pay off.
"While there are similarities with our previous list, it's interesting to see ChromeLoader moving up the charts so dramatically, although this rise is due in part to improved detection capabilities for the threat. It might seem innocuous, but its broad ability to steal browser data and the potential for bad actors to re-task it for more malicious purposes make it particularly concerning," says Brian Donohue, principal security specialist at Red Canary. "The fact that Atomic Stealer is in our top ten is also remarkable given the relatively low percentage of our sample formed by macOS devices. We’d strongly urge organizations with a significant macOS footprint to double down on user education around downloading software from untrusted sources. More widely, organizations can defend against web-based delivery with measures like ad-blocking solutions, browser extension allow/blocklists, and GPOs that open potentially dangerous attachments in Notepad by default."
The report also shows that identities remain a significant weak spot. Adversary in the Middle (AitM) attacks are frequently being used to bypass multi-factor authentication. They create seemingly legitimate login pages to lure users into entering credentials and MFA codes, relaying the details in real time to gain access.
There is a growing trend of adversaries stealing session tokens to access identities, after compromising a cloud service or account, too. This technique is of especially high risk in AWS environments, where adversaries extract security tokens that ultimately allow them to perform actions within the cloud tenant.
The full report is available from the Red Canary site.
Image credit: solarseven/depositphotos.com