News of the “KeRanger” ransomware ruins the fantasy that Mac OS X users are immune to the threats that Windows users face. The reality is no OS is completely safe. As a security researcher I’ve learned that attackers will always find a way to exploit a device, regardless of what OS it’s running. Unlike companies trying to defend themselves, adversaries don’t have to worry about budgets and staffing. They only care about achieving the operation’s goal. To a motivated attacker, Windows, Linux and OS X are all vulnerable.
But there’s false perception that OS X is impervious to attacks. While more threats may target Windows than OS X, this doesn’t make Macs completely safe. Again, to motivated attackers the OS is irrelevant. Their focus is the mission. They just need one vector to work to successfully carry out an attack.
KeRanger’s discovery shows ransomware is no longer a threat that exclusively targets Windows users. But the malware illustrates the larger point that adversaries are developing more ways to hack into OS X and going to great lengths to ensure that they’re successful.
In the case of KeRanger, which was discovered by Palo Alto Networks, the malware had infected legitimate open-source software: the Transmission BitTorrent client. The software was downloaded from Transmission’s website, meaning the client’s website was serving malware.
KeRanger has some traits of a watering hole drive-by attack, a vector that’s being used more frequently. In fact, this was the second time in the past few weeks that vendor’s software was hijacked to spread malware because their Web servers aren't secure. In late February, the Linux Mint website was hacked and distributed malware-infested ISOs for a day. It's a pretty crazy situation.
KeRanger, which was a port of Linux/encoder malware, was signed with a certificate from a legitimate Apple developer. This allowed the malware to circumvent Gatekeeper, a security mechanism that’s built-in to OS X, identifies unsigned programs and gives users the option of denying them from running. Additionally, Macs can be configured to not run programs that lack a certificate, a common procedure at many companies. Having a certificate gave the appearance that the malware was a legitimate program. The certificates sell for $99, making them worthwhile considering the profit that can be made by hijacking people’s data.
Transmission was breached on a Friday and Apple rejected the developer’s certificate on Sunday, preventing the software from running on people’s computers. During that two-day span, 6,500 people downloaded the infected program, according to Transmission.
At this point, it’s still unclear whether the certificate was stolen or fraudulently obtained. And this isn’t the first OS X malware to include a certificate. The OceanLotus malware, which was disguised as an application bundle for an Adobe Flash update, was also signed with a certificate from an Apple developer. AlienVault also noted that OceanLotus’ creators designed and programmed it for OS X, meaning, it was not ported from a Windows version. Given the details the attackers included to make the malware seem authentic, users and security analysts probably had no idea that they were installing a bogus program. And I’m guessing that the people who downloaded the BitTorrent client infected with KeRanger had no idea they were also getting ransomware.
There were also zero-day attacks that exploit OS X and iOS 7, according to Hacking Team emails that emerged after the company was breached last July. Not to stoke security fears, but there may be other zero-day attacks as well.
My guess is that we're going to see more of these drive-by watering hole attacks since many websites use poorly secured content management systems. All computer users, including people with Macs, should take security seriously. Hackers don’t care what OS you’re running. They just want to infiltrate the program and accomplish their goals.
Amit Serper is the lead Mac OS X and Linux security researcher atCybereason.