![\"The](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/year-in-mac-security-2016.jpg\")
<\/p>\n<\/p>\n
As we enter 2017, we all tend to look back on the good and the bad experienced during another trip around the sun. And\u00a0for Mac users, there were plenty of bad things that happened in 2016 related to security threats, but also\u00a0some good things that happened on the privacy front.<\/p>\n
Some of the bad news was just the reality of being a computer user in today\u2019s digital world, including new threats targeting Macs, malware infections, fresh vulnerabilities in third-party software, plug-in security issues, and data breaches. You can\u2019t hold those against Apple. Some people get infected by malware, other people avoid it. On the contrary, there was some good news as Apple’s\u00a0release of\u00a0macOS Sierra implemented several\u00a0new security features and plugged security holes.<\/p>\n
What’s\u00a0changed since our previous installment on the state of Mac security<\/a>\u00a0at the beginning of 2016? Truth be told, 2016 was\u00a0a busy year. This article is a summary of the year’s security issues that affected Macs. Read on to discover\u00a0the worst Mac threats in 2016, along with\u00a0some of Apple’s\u00a0more notable security improvements over the year.<\/p>\n The year in malware was kicked off early in 2016 by the discovery of InstallCore<\/a>, a fake Flash Player update that, once installed, used scare tactics to try and get money out of users to fix various system problems. Scareware is\u00a0a very effective method of getting to a user\u2019s wallet or potentially\u00a0cause a malware infection. In fact, one of the most well known scareware campaigns targeting Macs is still Mac Defender<\/a>, discovered by\u00a0Intego nearly 5 years ago.<\/p>\n Shortly after InstallCore made its rounds, OS X malware identified as\u00a0OceanLotus<\/a> made the spotlight. Initially discovered in 2015, the Mac version of this malware did not get any stage time until February 2016. Using a fake Flash Player update and spread through watering holes and spear-phishing, the malware installed a LaunchAgent on infected systems and awaited instructions from a command-and-control server. At the time of testing, these servers appeared to be offline, most likely discontinued after the first report of OceanLotus by researchers at Qihoo 360.<\/p>\n In March, a new version of Hacking Team\u2019s Remote Control System was uncovered<\/a>. This not only showed that Hacking Team was still in business, despite their not so great year in 2015, but also that new malware delivery mechanisms were under development. Known as Crisis or Morcut, the malware did not pose a significant threat and was easily removed from an infected system. It was a reminder, however, that companies like these are still out there working hard to undermine the security of your Mac.<\/p>\n The myth that Macs can\u2019t get viruses still persists even in 2016, but most people know by now it\u2019s just that, a myth. Having said that, for many years\u00a0Mac users could proudly boast that\u00a0ransomware does not exist for Macs. However, in early March that all changed as the first ever ransomware for Mac, KeRanger<\/a>, was discovered. Hackers planted an altered installer of the BitTorrent client Transmission that had the ransomware hidden inside of it. Once\u00a0installed, the ransomware laid dormant for 3 days, but then it would awaken and\u00a0start encrypting files and demand one bitcoin payment to get the encrypted data back.<\/p>\n Merely a\u00a0month later, another InstallCore variant<\/a> was found to use a fake Flash Player update to install Potentially Unwanted Programs (PUP\u2019s), like MegaBackup, ZipCloud and MacKeeper.<\/p>\n Adwind RAT<\/a>, a remote access trojan was discovered in August. Though the infection risk was low, it was notable because it was written in Java, which made it cross-platform. Adwind RAT was spread via a spam email campaign.<\/p>\n The same month, BitTorrent client Transmission made the news again, this time spreading malware, named Keydnap<\/a>, capable of stealing the contents of a Mac\u2019s keychain. Once again, hackers replaced the legitimate download of the app with a modified one just like it did with the KeRanger ransomware in March. Transmission decided that twice was enough and moved their website and files to GitHub to prevent future attacks on their server.<\/p>\n In September, Intego learned of a potential new Adwind RAT<\/a>\u00a0being spread via email. Opening a backdoor on infected systems, this version posed no immediate threat. It has not been seen since and clearing an infected system was an affected\u00a0Mac user needed\u00a0to do. Unfortunately, however, we may not have seen the last of Adwind.<\/p>\n Also in September, Intego learned of another trojan posing as a fake Flash Player installer. This malware variant\u00a0shared similarities with a previously found iWorm trojan<\/a>, and while this may have been a proof-of-concept (PoC) not causing any grief at the time, Intego added it to its VirusBarrier<\/a>\u00a0anti-virus\u00a0definitions to protect its customers from any possible future encounters.<\/p>\n A cross-platform backdoor, called Mokes<\/a>, for OS X that can take screenshots of an infected Mac as well as steal Office documents, record keystrokes and capture audio and video was discovered as well.\u2028\u2028 As if September was not already interesting enough, a trojan called Komplex<\/a> was discovered to spread via spear phishing. Posing as a fake Russian aerospace program information PDF attachment, once opened, Komplex installs files and was able to download, execute or delete files. Luckily, the command-and-control server it contacted did not instruct the trojan to do anything after installing itself.<\/p>\n In October, Intego\u2019s malware researchers discovered a new fake Flash Player installer, identified as SilverInstaller<\/a>,\u00a0which behaved differently from other installers of its kind. SilverInstaller appeared to use new techniques to avoid detection. Intego later uncovered more details and fount the malware was\u00a0more sophisticated<\/a> than previously thought, as it was attempting to avoid detection by malware researches by looking for common analysis tools and techniques.<\/p>\n Didn’t Apple Fix All This with Gatekeeper?<\/strong><\/p>\n What does all of the Mac malware from 2016 have in common? It\u2019s all signed by valid developer ID\u2019s.\u00a0This is done to circumvent Gatekeeper, one of macOS\u2019s built-in defense layers.<\/p>\n According to Apple<\/a>, \u201cGatekeeper helps protect your Mac from apps that could adversely affect it,\u201d and \u201cThe Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven’t been tampered with since they were signed.\u201d<\/p>\n Because\u00a0it takes time for a malicious application to be reported and for Apple to revoke the Developer ID, signing malware with such an ID typically guarantees infected users for days (or even weeks) before the ID is blocked.\u2028\u2028 This makes Gatekeeper a good idea but not something to rely on as your only layer of protection, because there are easy ways around it. Of course, Gatekeeper is just one layer, it works hand in hand with XProtect that is designed to flag and block known malware and vulnerable plug-in versions.<\/p>\n XProtect received several updates in 2016. For El Capitan and Sierra, there were at least 12 updates, and they included some of the following:<\/p>\n To put this in contrast, Intego added over 5,000\u00a0malware signatures to VirusBarrier<\/a>.<\/p>\n Since we\u2019re talking about Apple, let\u2019s see what they did to make their operating systems more secure in 2016.<\/p>\n OS X El Capitan, at version 10.11.2 going into 2016, received four point updates and three security updates after macOS Sierra was released. Addressing a combined 215 CVE\u2019s in 2016. macOS 10.12 Sierra, released in September and updated twice since, addressed 158 CVE\u2019s. OS X 10.10 Yosemite received seven security updates in 2016, patching 62 vulnerabilities, and OS X 10.9 Mavericks received four security updates, patching 53 vulnerabilities.<\/p>\n With the release of macOS Sierra, support for Mavericks was dropped, causing its users to miss out on the security update that specifically patched the vulnerabilities, nicknamed Trident<\/a>, exploited by the Pegasus spyware. Even though the security update was released on September 1 and macOS Sierra was not released until September 20, Apple chose not to offer the full patch to its Mavericks users. While a Safari update that was available for Mavericks addressed part of the vulnerabilities, it did not patch all of it.<\/p>\n Speaking of software vulnerabilities, Apple updated Safari eight times and patched 89 vulnerabilities,\u00a0bringing us from version 9.0.3 to 10.0.2\u2028.<\/p>\n macOS Sierra itself implemented several new security features and enhancements<\/a>, such as the Gatekeeper option to allow unsigned applications to open from anywhere, Path Randomization, the removal of the weak RC4 cipher suite and Auto Unlock, among other Sierra security and privacy features<\/a>.<\/p>\n Along with macOS Sierra came Safari 10.0. Its biggest security feature was the disabling of plug-ins by default. This meant that Flash Player, Silverlight, Java and other plug-ins need to be manually enabled first before they work. As vulnerabilities in plug-ins are often exploited, this was a big security step in the right direction.<\/p>\n Something that makes any system administrator, tech support or security researcher cringe is the mention of Adobe Flash Player. Often updated but never secure, it is typically a security risk to have it installed. Even with browsers now disabling Flash Player and other plug-ins by default, having it installed means you are more likely to fall for fake Flash Player update scams<\/a>. If you don\u2019t have Flash Player installed, you\u2019ll know that any site prompting you for an update is bogus.<\/p>\n On the severity of\u00a0vulnerabilities, the worst is known as a “0-day,” which is a vulnerability that is being actively exploited by bad guys and that has no fix available. Flash Player had six of those by my count, which is pretty significant.\u00a0It had them in 2015, 2014, 2013 and most likely before that, too. There is no reason to think this will get any better in 2017, so the recommendation to uninstall Flash Player and never look back remains\u00a0a good one.<\/p>\n While Flash Player grabs the majority of headlines due to security flaws, other plug-ins were not without their issues. Microsoft started the year by patching a Silverlight 0-day vulnerability that was discovered in 2015 as a result of the Hacking Team leaks<\/a>. Silverlight doesn’t make the news often, but it is a favorite among exploit kits, just like Flash Player, Acrobat Reader and Java.<\/p>\n Adobe discontinued Adobe Reader X (version 10.x) over a year ago<\/a>, meaning, “Adobe will no longer provide any updates or address any existing bugs or security issues in the software.” Switching to Acrobat Reader DC was recommended, but not many people got the memo as Adobe Reader X is still very common on a lot of systems, which\u00a0makes it a very attractive target.<\/p>\n Microsoft’s Office 2011 and 2016 also received several security updates, patching remote code execution and memory corruption vulnerabilities.<\/p>\n Whether it’s the operating system, a plug-in or third-party software, security bugs and vulnerabilities will always be there. After all, code is written by humans and humans make mistakes. Therefore, it’s imperative to keep your software current with the latest available updates as this is the biggest step you can take to improve your security.<\/p>\n From apparently harmless attacks, like those done by hacking group OurMine, to more serious players like Fancy Bear, and to the biggest breach of all time at Yahoo, 2016 was\u00a0an interesting year.<\/p>\n OurMine,\u00a0a hacking group that breaks into accounts and leaves a message,\u00a0stating<\/a>, “Don’t worry we are just testing your security,” managed to compromise the Quora account of Google CEO, Sundar Pichai, and the Twitter account of FaceBook CEO, Mark Zucherberg. Spotify founder, Daniel Ek, Amazon CTO, Werner Vogels, and actor Channing Tatum were some of their other targets.<\/p>\n In December, LinkedIn’s Lynda.com was hacked<\/a> by an “unauthorized third party” that accessed a database that included some learning data. Contact information and which courses were viewed for 55,000 accounts were listed<\/a> as the only compromised data.<\/p>\n Moving on to some larger scale hacks, the bitcoin exchange BitFinex<\/a> was hacked by unknown attackers and their digital wallet was made $70 million lighter. The incident is still being investigated.<\/p>\n Point of Sale (PoS) systems were again a popular target this year. A Russian organized cybercrime group breached hundreds of computer systems<\/a> at software giant Oracle Corp, compromising a customer support portal for companies using Oracle’s MICROS PoS credit card payment systems. MICROS, a huge vendor in the global sale of PoS systems, is used at over 330,000 cash registers world wide. The scale of the hack is still unknown, as is the time it first started. HEI Hotels and Resorts found twenty of its hotels, including Marriot, Hyatt and Intercontinental, infected with malware<\/a> on their payment systems. These systems were used at restaurants, bars, spas and shops. Hackers may have gotten away with customer names, account numbers, credit card expiration dates and verification codes.<\/p>\n Hacked email accounts<\/a> were a common theme in 2016. The biggest breach was reserved for Yahoo. After revealing a 2014 hack affected more than 500 million user accounts<\/a>, they found an older breach in 2013<\/a> compromised over 1 billion user accounts. While technically a breach from three years ago, it was not discovered until recently, which means the hackers may have had access to all of the accounts for years.<\/p>\n The biggest story this year was Apple’s defense of security and privacy,\u00a0when it refused to cooperate with the FBI’s request to build a custom iOS version that circumvents several important security features. In a message to its customers, Apple wrote<\/a>:<\/p>\n The issue caused mix reactions.<\/p>\n For instance, at a time when\u00a0many supported Apple’s decision, then-Republican presidential candidate Donald Trump called for a boycott of Apple until they helped the FBI unlock the iPhone belonging to a terrorist. His comments came as the U.S. Department of Justice filed a motion seeking to force Apple to comply with a judge’s order for the company to unlock the iPhone, igniting a showdown between the Obama administration and Silicon Valley over security and privacy. As the story goes, the FBI found a different way to get the information they were after, without Apple’s help, and stopped pressuring Apple. A big win for the privacy and security of Apple customers.<\/p>\n In April, WhatsApp finished migrating all of its users<\/a> over to Open Whisper Systems\u2019 standard-setting encryption. With a billion people using WhatsApp, this suddenly caused a fair percentage of the world’s population to start messaging securely, whether they knew it or not.<\/p>\n This includes chats, group chats, attachments, voice notes, and voice calls.<\/p><\/blockquote>\n This makes WhatsApp a solid messenger that is both secure and private regardless of it being owned by Facebook, which is not exactly known for being privacy conscious.<\/p>\n From attacks that crippled parts of the internet to attacks with a specific target, Distributed Denial of Service (DDoS) has a name. Say hello to the Mirai botnet.<\/p>\n Mirai, malware that hijacks IoT devices, is not the largest botnet out there, but nevertheless it has been responsible for the largest DDoS attack recorded. In September, it was targeted at the website of security journalist Brian Krebs<\/a> and was recorded at 620 Gbps of traffic per second. The attack caused\u00a0Krebs’ site to go offline for a while as Akamai, who successfully mitigated the attack, asked Krebs to seek protection elsewhere. A few days later, 1.1Tbps of traffic was directed at French-based hosting provider OVH via multiple simultaneous attacks, and in October the source code for Mirai was released<\/a> online, making it available to anyone that wants to use it.<\/p>\n Just a few days later, a whopping 1.2Tbps directed at Dyn brought down much of America\u2019s Internet.\u00a0Dyn, a company that controls much of the Internet\u2019s domain name system (DNS) infrastructure, was under attack for most of the day. This resulted in the websites of Twitter, the Guardian, Netflix, Reddit, CNN and many others.<\/p>\n Botnets are nothing new, but Mirai is mostly made up of IoT devices. The IoT is growing at an enormous pace, giving malware, like Mirai, more ammunition every month and every year.<\/p>\n Manufacturers need to step up and secure the IoT devices that they supply, and\/or release updated firmware to devices already out there. This would greatly reduce the efficacy of botnets like Mirai. Users who\u00a0purchase IoT devices must\u00a0learn that “plug and play,” while easy, often brings security risks. Change the default name\/password on any new devices, and if that’s not possible, return the device and purchase one that is better secured.<\/p>\n As mentioned earlier, WhatsApp rolling out end-to-end encryption by default and Apple fighting off the FBI’s demand for a weakened iOS, were important moments this year. Constant reminders in the news about hacks, breaches and surveillance along with industry and government calls to use HTTPS sped up the adoption of encryption. The Internet Security Research Group (ISRG)’s Let’s Encrypt helped secure over 21 million websites<\/a>, most of which never had certificates before. Encrypting content matters, regardless of the size or popularity of a site or service. Of course, Intego protects its website, blog and Mac anti-virus software update streams with encryption to ensure your privacy and security when using our services.<\/p>\n As you have seen, 2016 was a very eventful year for Mac malware and security issues. Not only was\u00a0the first Mac ransomware discovered during the year, hidden inside an altered installer of the BitTorrent client Transmission, but the persistence of fake Flash Player installers plagued Mac users; furthermore, many operating system and third-party software vulnerabilities were found that compromised the security of Macs.<\/p>\n A great number of these operating system flaws pave the way for unseen malware attacks. Some of them are such that merely visiting a booby-trapped webpage can compromise a Mac. This underscores the importance of security software that protects not\u00a0only from malware but also from web threats and many other kinds of menaces that target Macs. It also highlights the need to keep software up-to-date.<\/p>\n Both for macOS and for third-party software, Mac users should make sure to have the latest versions of software at all times, because some programs\u2014such as Java and Adobe Flash Player\u2014are easy to attack with known exploits circulating in the wild.<\/p>\n As always, Intego is at the forefront in protecting Mac users from the dangers of the Internet. With its Malware Research Team continuously monitoring the threats to Mac users, Intego Mac Premium Bundle<\/a><\/strong> proves, yet again, to be the best security with layers of protection\u00a0against malware and network threats. Malware writers have Mac users in their crosshairs, and Intego helps protect Macs from all types of security threats.<\/p>\n","protected":false},"excerpt":{"rendered":" As we enter 2017, we all tend to look back on the good and the bad experienced during another trip around the sun. And\u00a0for Mac users, there were plenty of bad things that happened in 2016 related to security threats, but also\u00a0some good things that happened on the privacy front. Some of the bad news […]<\/p>\n","protected":false},"author":79,"featured_media":61528,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[7,3,151,13],"tags":[2680,80,199,3175],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\nMac Malware<\/h3>\n
![\"wares-banner\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/wares-banner.jpg\")
<\/p>\n![\"transmission-update-crop\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/transmission-update-crop.jpg\")
<\/p>\n![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/EasyDoc-crop-1.jpg\")
Then in July, a piece of malware named Eleanor<\/a>, posing as a file converter application, installed a backdoor on infected systems that enabled an attacker to have full access to the operating system, webcam and more.<\/p>\n![\"gatekeeper-both-gates-open\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/gatekeeper-both-gates-open.jpg\")
<\/a>With malware being signed by a Developer ID, Gatekeeper will\u00a0not block it from running. Instead, it will give the default warning that the app was downloaded from the Internet and to proceed with caution, a warning Mac users are now so used to it is often given barely a glance. Gatekeeper only becomes useful if malware is discovered, reported and the offending Developer ID is blocked. This will cause the application to be blocked and unable to install. The problem with this is that it only works for new installations after the Developer ID is blocked, and so anyone that already has the malicious application installed is not protected by this as the application will continue to run.<\/p>\n\n
macOS\u00a0Vulnerabilities<\/h3>\n
![\"macos_security_update\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/macOS_security_update.jpg\")
<\/p>\nPlug-in Security Issues<\/h3>\n
![\"flash-install-icon\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/flash-install-icon.jpg\"){kind=icon}
Flash Player was\u00a0updated several times over the year\u00a0year and, at the time of writing this article, racked up over 260 vulnerability entries<\/a>\u00a0with the majority related to\u00a0code execution. The amount of CVE’s is not necessarily a bad thing. Apple, for example, had 215 CVE’s listed for OS X<\/a>\u00a0at the time of writing and 161 CVE’s for iOS<\/a>. What should be watched is the severity of these vulnerabilities; when it comes to severity, Flash Player has far more than OS X or iOS.<\/p>\nThird-Party Software and Macs<\/h3>\n
![\"skype-icon\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/skype-icon.jpg\"){kind=icon}
We already mentioned some of the third-party software woes experienced during 2016,\u00a0such as EasyDoc Converter (distributing Eleanor) and Transmission (distributing KeRanger). Other\u00a0well known software made headlines, too. Skype for Mac was found to have a backdoor that had been around for at least 5 years<\/a>. Those are the kind of vulnerabilities that make excellent 0-days, and this may very well have been one without anyone knowing. Skype addressed the vulnerability, and so\u00a0the good news is that the latest version of Skype is backdoor free.<\/p>\nData Breaches<\/h3>\n
![\"fancy-bear\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/fancy-bear-150x107.png\")
Russian hacking group Fancy Bear<\/a> broke into the World Anti-Doping Agency (WADA) database and released medical records of U.S. athletes. You may recall the name Fancy Bear as their group was found to be responsible for the Komplex trojan mentioned earlier. This hack not only showed that the Olympics may as well show big “made possible by banned substances” banners, but also pointed out the flawed therapeutic use exemption (TUE) system. Oh and, of course, it upset a lot of athletes.<\/p>\nPrivacy Issues<\/h3>\n
[T]he U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone. […] In the wrong hands, this software \u2014 which does not exist today \u2014 would have the potential to unlock any iPhone in someone\u2019s physical possession. […] We are challenging the FBI\u2019s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications. While we believe the FBI\u2019s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.<\/p><\/blockquote>\n
![\"yahoo-logo\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/yahoo-logo-150x53.jpg\"){kind=logo}
Yahoo made headlines several times in 2016,\u00a0and the previously mentioned data breaches were just a part of their news coverage. In October, a story broke revealing Yahoo had been scanning customer emails<\/a> on behest of the federal government. This was not mentioned as a breach, because\u00a0Yahoo built and implemented the scanning software themselves. Not even Yahoo’s own security team knew about this until after the program went live and made them believe they got hacked. Reportedly this course of events caused Yahoo’s own cyber security chief Stamos to quit and move to FaceBook a month later.<\/p>\nDDoS Attacks<\/h3>\n
Encryption by Default<\/h3>\n
\n![\"eff-lets-encrypt-2016-plot\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/12\/eff-lets-encrypt-2016-plot.png\")
\nWordpress.org, OVH, Shopify, Tumblr and Squarespace are some of the many hosting providers that chose to make HTTPS the default. From metrics collected by Mozilla, close to 50% of all page loads were done over HTTPS. Thus, 2016 was a good year for encryption!<\/p>\nSummary<\/h3>\n