With the rising popularity of Macbooks, Accenture Cyber Threat Intelligence (ACTI) has observed a 1,000% increase in Dark Web threat actors targeting macOS in the past five years.
The number of Dark Web threat actors targeting MacOS increased from 202 in 2019 to 2296 in 2023, research across established dark web forums reveals. And cybercriminals are willing to trade exploits for millions of dollars.
“Historically, dark web cyber criminals have focused their efforts on Windows. Previous macOS-related activity has been limited in scope owing to the comparatively smaller role played by macOS in enterprise infrastructure globally and the more advanced and niche skills required to target the Apple operating system,” Accenture writes.
MacOS targeting activity has intensified during 2022 and the first half of 2023.
That correlates with the increased use of Apple devices in enterprise organizations. In 2020, the percentage of enterprise organizations that reported using Mac as their primary device increased to 23%, up from 17% in 2019, according to a survey by Jamf. This number is believed to be higher since the 2020 report due to the popularity of Apple’s silicon-based machines.
“Cyber criminals’ keener interest in targeting the macOS operating system comes at a time when enterprise adoption of macOS is rising, creating a perfect storm that could elevate the threat to businesses using macOS as part of their technology stack,” Accenture warns.
Established cybercriminals seek to bypass in-built macOS security and offer large sums for help. For instance, one actor offered up to $500,000 for a macOS Gatekeeper bypass or exploits. Another actor holding a 14.047 Bitcoin deposit on the forum offered up to $1 million for a working exploit of macOS.
The prices are high due to a lack of availability and high demand. For comparison, Windows zero-day exploits are often advertised for thousands of dollars and malware for hundreds.
In particular, macOS Gatekeeper and Transparency, Consent and Control (TCC) functions are targeted. The gatekeeper enforces application code signing so that only trusted software runs on the machine. TCC aims to limit the ability of applications to interact with various parts of the operating system without explicit user consent. Bypassing these could enable threat actors to deploy malware via non-trusted applications.
The high returns are likely to encourage sophisticated actors to turn their efforts towards developing malicious tools for macOS, a trend that ACTI has already observed. In August 2022, one actor advertised a vulnerability exploit for sale for $2.5 million.
With specialized and well-resourced threat actors emerging, Accenture sees an increased risk to individual users and businesses relying on macOS for daily operations.
“As more products become available, technical knowledge trickles down, and potential barriers to entry are removed, leading to a flurry of new offerings catering to macOS-targeting by dark web criminals including more infostealers, ransomware strains, RATs, loaders, exploits and credential harvesters,” it said.
The first wave of attacks is particularly risky as security teams need to adjust to the new and changing threatscape.
More from cybernews:
Subscribe to our newsletter