One of the first malware samples tailored to run natively on Apple’s M1 chips has been discovered, suggesting a new development that indicates that bad actors have begun adapting malicious software to target the company’s latest generation of Macs powered by its own processors.
While the transition to Apple silicon has necessitated developers to build new versions of their apps to ensure better performance and compatibility, malware authors are now undertaking similar steps to build malware that are capable of executing natively on Apple’s new M1 systems, according to macOS Security researcher Patrick Wardle.
Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of the Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27.
“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems,” said Wardle in a write-up published yesterday. “The malicious GoSearch22 application may be the first example of such natively M1 compatible code.”
While M1 Macs can run x86 software with the help of a dynamic binary translator called Rosetta, the benefits of native support mean not only efficiency improvements but also the increased likelihood of staying under the radar without attracting any unwanted attention.
First documented in 2016, Pirrit is a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features.
For its part, the heavily obfuscated GoSearch22 adware disguises itself as a legitimate Safari browser extension when in fact, it collects browsing data and serves a large number of ads such as banners and popups, including some that link to dubious websites to distribute additional malware.
Wardle said the extension was signed with an Apple Developer ID “hongsheng_yan” in November to further conceal its malicious content, but it has since been revoked, meaning the application will no longer run on macOS unless attackers re-sign it with another certificate.
Although the development highlights how malware continues to evolve in direct response to both hardware changes, Wardle warned that “(static) analysis tools or antivirus engines may struggle with arm64 binaries,” with detections from industry-leading security software dropping by 15% when compared to the Intel x86_64 version.
GoSearch22’s malware capabilities may not be entirely new or dangerous, but that’s beside the point. If anything, the emergence of new M1-compatible malware signals this is just a start, and more variants are likely to crop up in the future.
A full-time mass work from home (WFH) workforce was once considered an extreme risk scenario that few risk or security professionals even bothered to think about.
Unfortunately, within a single day, businesses worldwide had to face such a reality. Their 3-year long digital transformation strategy was forced to become a 3-week sprint during which offices were abandoned, and people started working from home.
Like in an eerie doomsday movie, servers were left on in the office, but nobody was sitting in the chairs.
While everyone hopes that the world returns to its previous state, it’s evident that work dynamics have changed forever. From now on, we can assume a hybrid work environment.
Even companies that will require their employees to arrive daily at their offices recognize that they have undergone a digital transformation, and work from home habits will remain.
The eBook “5 Security Lessons for Small Security Teams for a Post-COVID19 Era” (download here) helps companies prepare for these new work dynamics. The practical insights and provided recommendations make this a very helpful guide for small security teams that feel the brunt of security on a daily basis and now need to add one more item to their security strategy planning and execution.
This eBook details the following five security lessons derived from current business, IT, and threat landscape trends:
You can’t do it all. In particular, they suggest asking your security vendor for their customer success and offered services. Some vendors provide a range of free offerings, but many customers don’t realize this and forego the opportunity to extend their security team virtually.
Response speed is the name of the game. Everyone will tell you that automation is key. The guide takes it a step further and also suggests how to remove overheads from security stacks as well as how to reduce analyst work inefficiencies.
More corporate devices to be issued to employees. This point provides best practices for securely procuring and managing all of those new devices, also when the security team works remotely.
Supply chain attacks are on the rise. Your supplier’s security, unfortunately, becomes your security. The guide provides tips on how to receive more visibility into the threats that now reside in your environment, including how to address this challenge in a budget-constrained way.
Economies have changed. When ransomware is growing to insurmountable amounts, what are the ways – from training to technologies – to best protect your business.
At the end of the day, small security teams deal with many challenges. As all security teams go, they have the burden of tedious tasks and operational demands while needing to keep the business going.
But on top of that, they have a stricter budget and human resource limitations. In each practical step, this guide takes these constraints into consideration.
It’s no secret that sysadmins have plenty on their plates. Managing, troubleshooting, and updating software or hardware is a tedious task. Additionally, admins must grapple with complex webs of permissions and security. This can quickly become overwhelming without the right tools.
If you’re a sysadmin seeking to simplify your workflows, you’re in luck. We’ve gathered some excellent software picks to help tackle different duties more efficiently.
Thankfully, these free tools are also respectful of tight budgets—without sacrificing core functionality.
Best for Permissions Management: SolarWinds Permissions Analyzer for Active Directory
Whether you are part of an organization with many members or numerous resources, keeping track of permissions can be challenging. Changes in responsibilities, titles, or even employment statuses can influence one’s access to proprietary data. Each user has unique privileges.
SolarWinds Permissions Analyzer streamlines this process. Once the software has system access, you may inspect user permissions using the search bars. This lets you cross-reference specific users with key file groups—showing read access, write or modify access, delete or create capabilities, and even full control.
How does Permissions Analyzer (PA) check this?
The tool performs a user search
PA reads NTFS rights and calculates NTFS permissions
PA then reads membership information for any pertinent groups
PA searches for local group membership information
The program reads share rights, calculating share permissions
Finally, results are merged and finalized
This process is incredibly quick. Referring to the figure above, the way SolarWinds displays this information is its bread and butter. Permissions Analyzer organizes the output into a hierarchical table—including expandable categories based on inheritance. For instance, you can see if group membership impacts specific permissions statuses.
This information is shown in concert with NTFS, Shares, and Total permissions. The GUI allows for quick consumption using iconography and color (partially adopting the traffic light scheme). Therefore, PA excels where alternatives fall short: simplicity and usability.
Note that SolarWinds Permissions Analyzer is an investigative tool. It doesn’t allow you to edit permissions within the app; however, it provides rapid visibility into your permissions structure.
Best for Boosting Password Security: Specops Password Auditor
Active Directory password security is vitally important, yet many organizations routinely fail short. Teams can institute password policies—both broad and fine-grained. But, are these efforts adequate? Specops Password Auditor can answer that question and more for you.
Password Auditor does what its namesake implies by scanning all user accounts within your environment to detect leaked passwords. Specops maintains a dictionary of compromised passwords; should any user passwords match, Password Auditor highlights them within the tool.
The central dashboard displays the following in a unified view:
Breached passwords (and their corresponding users)
Identical passwords (and matching users)
Admin account names and stale variants
Accounts with expired passwords
Various password policies according to users, roles, and security
Password policy usage and compliance (pass, caution, fail)
This breakdown is easier to read at a glance than most others out there—including some paid options. It’s also a great supplement to Azure AD Password Protection. While that functionally applies password policies to domain controllers, Password Auditor determines if these policies are ultimately working properly.
Are dormant accounts causing issues? Perhaps password length and complexity aren’t up to snuff. Password Auditor can shed light on these issues.
Like SolarWinds Permissions Analyzer, Specops’ tool conducts a scan of your users and policies. This process is quick and easy to monitor. Password Auditor automatically compiles a report of its findings, which is available as a downloadable PDF. You may also export to CSV.
Worried about potential tampering? Specops Password Auditor is a read-only program.
Best for Network Visibility and Protocol Analysis: Wireshark
For lovers of the now-deprecated Microsoft Message Analyzer, Wireshark has emerged as a popular replacement. The multi-platform tool supports an expansive list of operating systems:
Windows 8+ and Windows Server 2012(R)+
macOS 10.12+
Over a dozen versions of UNIX, Linux, and BSD
Wireshark can inspect hundreds of network protocols, and even when that list is continually evolving. Accordingly, Wireshark can capture data whether you’re online or offline, allowing for uninterrupted inspection. Wireshark also supports over 20 capture file formats.
You may retrospectively parse logs using your preferred interface—whether that be the GUI or the TShark terminal utility. Files compressed using gzip can be uncompressed on the fly, which saves time.
Want to inspect the packets traveling throughout your network? Simply take advantage of the three-pane browser view, which keeps data well organized. Layouts also feature collapsible sections—letting you reveal additional details on demand or keep the interface uncluttered.
What else does Wireshark offer?
Numerous display filters
VoIP analysis
Real-time data reads over ethernet, IEEE, Bluetooth, USB, token ring, and more
Decryption for IPsec, Kerberos, SNMP, ISAKMP, SSL/TLS, WEP, WPA, and WPA2
Customizable coloring rules
Easy data export via XML, PostScript, CSV, or plain text
Wireshark remains open source to this day, and the developers maintain high-quality documentation on Wireshark’s website and GitHub pages.
Best for Proactive User-Password Management: Specops Password Notification Email
Even when your password policy is sound, it’s important to keep passwords from becoming stale. This can prevent hackers from gaining repeat access to a compromised account over the long term.
Unanticipated expiry can also separate users from vital resources. Accordingly, companies enforcing periodic password expiry should look no further than Specops Password Notification.
Password Notification’s premise is pretty simple: prevent a lockout, thwart unwanted access, and keep users connected from afar. Additionally, the goal is to lessen the burden on help desk technicians and universally prevent frustration. How exactly does the tool work?
The pwdLastSet attribute is compared to the maximum password age. This age is outlined in a given domain policy or fine-grained password policy
Users impacted by relevant GPOs are sent notification emails when their password nears expiry. This warning period, message, and subject are customizable
IT admins can communicate with all users—even those on remote networks or VPNs
Regular Windows users don’t receive these alerts when they’re off the network.
How else can you tailor emails in Password Notification? Email frequency is adjustable, as are recipients (including multiple contacts). You can also set priority levels that change dynamically as deadlines approach. Seamless time zone integrations are also available.
Manual methods might otherwise rely on scripting via PowerShell. Specops’ tool gives users rich functionality out of the box, without the need for heavy configuration.
