Many macOS users believe their operating system is immune to malware, so they don’t need to take extra security precautions. In reality, it’s far from the truth, and new threats keep popping up.

Are there viruses for macOS?

Yes — and plenty of ’em. Here are some examples of Mac malware we’ve previously covered on Kaspersky Daily and Securelist:

• A crypto-wallet-stealing Trojan disguised as pirated versions of popular macOS apps.

This Trojan’s malicious payload is stored in the “activator”. The cracked app won’t work until it’s launched.Source

• Another crypto-stealing Trojan, this one masquerading as a PDF document titled “Crypto-assets and their risks for financial stability”.
• A Trojan that used infected Macs to create a network of illegal proxy servers for routing malicious traffic.
• The Atomic stealer, distributed as a fake Safari update.

We could go on with this list of past threats, but let’s instead now focus on one of the latest attacks targeting macOS users, namely – the Banshee stealer…

What the Banshee stealer does

Banshee is a fully-fledged infostealer. This is a type of malware that searches the infected device (in our case, a Mac) for valuable data and sends it to the criminals behind it. Banshee is primarily focused on stealing data related to cryptocurrency and blockchain.

Here’s what this malware does once it’s inside the system:

• Steals logins and passwords saved in various browsers: Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex Browser, and Opera.
• Steals information stored by browser extensions. The stealer targets over 50 extensions – most of which are related to crypto wallets, including Coinbase Wallet, MetaMask, Trust Wallet, Guarda, Exodus, and Nami.
• Steals 2FA tokens stored in the Authenticator.cc browser extension.
• Searches for and extracts data from cryptocurrency wallet applications, including Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger.
• Harvests system information and steals the macOS password by displaying a fake password entry window.

Banshee compiles all this data neatly into a ZIP archive, encrypts it with a simple XOR cipher, and sends it to the attackers’ command-and-control server.

In its latest versions, Banshee’s developers have added the ability to bypass the built-in macOS antivirus, XProtect. Interestingly, to evade detection, the malware uses the same algorithm that XProtect uses to protect itself, encrypting key segments of its code and decrypting them on the fly during execution.

How the Banshee stealer spreads

The operators of Banshee primarily used GitHub to infect their victims. As bait, they uploaded cracked versions of expensive software such as Autodesk AutoCAD, Adobe Acrobat Pro, Adobe Premiere Pro, Capture One Pro, and Blackmagic Design DaVinci Resolve.

The creators of Banshee used GitHub to spread the malware under the guise of pirated software. Source

The attackers often targeted both macOS and Windows users at the same time: Banshee was often paired with a Windows stealer called Lumma.

Another Banshee campaign, discovered after the stealer’s source code was leaked (more on that below), involved a phishing site offering macOS users to download “Telegram Local” – supposedly designed to protect against phishing and malware. Of course, the downloaded file was infected. Interestingly, users of other operating systems wouldn’t even see the malicious link.

A phishing site offers to download Banshee disguised as “Telegram Local”, but only to macOS users (left). Source

The past and future of Banshee

Let’s now turn to Banshee’s history, which is really quite interesting. This malware first appeared in July 2024. Its developers marketed it as a malware-as-a-service (MaaS) subscription, charging $3000 per month.

Business must not have been great, as by mid-August they’d slashed the price by 50% – bringing the monthly subscription down to $1500.

A hacker site ad announcing a discount on Banshee: $1500 instead of $3000 per month. Source

At some point, the creators either changed their strategy, or decided to add an affiliate program to their portfolio. They began recruiting partners for joint campaigns. In these campaigns, Banshee’s creators provided the malware, and the partners executed the actual attack. The developers’ idea was to split the earnings 50/50.

However, something must have gone very wrong. In late November, Banshee’s source code was leaked and published on a hacker forum – thus ending the malware’s commercial life. The developers announced they were quitting the business – but not before attempting to sell the entire project for 1BTC, and then for $30,000 (most likely having learned of the leak).

Thus, for several months now, this serious stealer for macOS has been available to essentially anyone completely free of charge. Even worse, with the source code also available, cybercriminals can now create their own modified versions of Banshee.

And judging from the evidence, this is already happening. For example, the original versions of Banshee stopped working if the operating system was running in the Russian language. However, one of the latest versions has removed the language check, meaning Russian-speaking users are now also at risk.

How to protect yourself from Banshee and other macOS threats

Here are some tips for macOS users to stay safe:

• Don’t install pirated software on your Mac. The risk of running into a Trojan by doing so is very high, and the consequences can be severe.
• This is especially true if you use the same Mac for cryptocurrency transactions. In this case, the potential financial damage could significantly exceed any savings you make on purchasing genuine software.
• In general, avoid installing unnecessary applications, and remember to uninstall programs you no longer use.
• Be cautious with browser extensions. They may seem harmless at first glance, but many extensions have full access to the contents of all web pages, making them just as dangerous as full-fledged apps.
• And of course, be sure to install a reliable antivirus on your Mac. As we’ve seen, malware for macOS is a very real threat.

Finally, a word on Kaspersky security products. They can detect and block many Banshee variants with the verdict Trojan-PSW.OSX.Banshee. Some new versions resemble the AMOS stealer, so they can also be detected as Trojan-PSW.OSX.Amos.gen.

Kaspersky official blog – ​Read More

Threat actors increasingly deployed web shells against vulnerable web applications and primarily exploited vulnerable or unpatched public-facing applications to gain initial access in Q4, a notable shift from previous quarters. The functionality of the web shells and targeted web applications varied across incidents, highlighting the multitude of ways threat actors can leverage vulnerable web servers as a gateway into a victim’s environment. Prior to this quarter, use of valid accounts had been Cisco Talos Incident Response (Talos IR)’s most observed method of initial access for over a year.  

Ransomware made up a slightly smaller portion of threats observed this quarter than in the past. Notably, the end of the year saw a surge of ransomware and pre-ransomware incidents, primarily involving BlackBasta ransomware, suggesting this as a threat to monitor going into 2025.  

Web shells increasingly observed in adversaries’ post-compromise toolkits 

In 35 percent of incidents in Q4, threat actors deployed a variety of open-source and publicly available web shells against vulnerable or unpatched web applications, a significant increase from less than 10 percent in the previous quarter. In one incident, Talos IR observed the adversary uploading a web shell with the file name “401.php”, which was also seen last quarter. This PHP web shell is based on the publicly available Neo-regeorg web shell on GitHub and has been leveraged in several adversaries’ attack chains, according to a CISA advisory. Another incident involved the web fuzzer Fuzz Faster U Fool, which is used to perform brute force attacks against web applications to discover usernames and passwords and perform directory and virtual host discovery.  

Adversaries also leveraged older tools to support their post-compromise objectives, serving as a reminder for organizations to remain vigilant in adding applications to the allowlist/blocklist to control what software operates on their systems. In one incident, the attacker targeted a vulnerable server of JBoss using a tool called JexBoss, which was originally released on Github in 2014 and can be used to test and exploit vulnerabilities in Java platforms. The adversary saved JexBoss as a WAR file, and the contents included a malicious web shell named “jexws4.jsp”.  

Ransomware trends 

Ransomware, pre-ransomware, and data theft extortion accounted for nearly 30 percent of engagements this quarter, a slight decrease from the previous quarter, in which these types of engagements accounted for 40 percent. Talos IR observed Interlock ransomware for the first time, while also responding to previously seen ransomware variants BlackBasta and RansomHub. Talos IR was able to identify dwell times in the majority of engagements this quarter, which ranged from approximately 17 to 44 days. For example, in the Interlock ransomware incident, it took the adversary 17 days from the initial compromise stage until the deployment of the ransomware encryptor binary. Longer dwell times can indicate that an adversary is trying to expand their access, evade defenses, and/or identify data of interest for exfiltration. For example, in a RansomHub incident this quarter, operators had access to the compromised network for over a month before executing the ransomware and performed actions such as internal network scanning, accessing passwords for backups, and credential harvesting.  

Operators leveraged compromised valid accounts in 75 percent of ransomware engagements this quarter to obtain initial access and/or execute ransomware on targeted systems, highlighting the risk of identity-based attacks and the need for secure authentication methods. In a BlackBasta incident, for example, operators posed as the targeted entity’s IT department and used social engineering to gain access to an employee’s account, which consequently facilitated lateral movement into the network. In a RansomHub engagement, affiliates leveraged a compromised Administrator account to execute the ransomware, dump credentials, and run scans using a commercial network scanning tool. Of note, all organizations impacted by ransomware incidents this quarter did not have multifactor authentication (MFA) properly implemented or MFA was bypassed during the attack. 

As forecasted in last quarter’s IR quarterly trends report, this quarter featured two RansomHub incidents, in which affiliates leveraged newly identified tools and techniques. Talos IR observed affiliates leveraging a Veeam password stealer to target the Veeam data backup application, and KMS Auto, a tool designed to illicitly activate cracked Microsoft products. The operators also used a previously unseen persistent access technique, modifying Windows Firewall settings on targeted hosts to enable remote access. This activity occurred shortly before the ransomware was executed, potentially as a method to maintain direct access to the compromised systems. 

Talos IR observed operators leveraging remote access tools in 100 percent of ransomware engagements this quarter, a significant uptick from last quarter, when it was only seen in 13 percent of ransomware or pre-ransomware engagements. Commercial remote desktop software Splashtop in particular was involved in 75 percent of ransomware engagements this quarter, and other observed remote access tools included Atera, Netop, AnyDesk, and LogMeIn. In at least 50 percent of engagements, these tools were used to facilitate lateral movement, as actors used this remote access to pivot to other systems in the environment. 

Looking forward: Talos IR saw BlackBasta ransomware in one engagement that closed this quarter, as well as in a number of engagements that kicked off near the end of the year. In the observed attack chain, BlackBasta operators impersonate IT personnel to conduct double extortion attacks, which involves exfiltration of sensitive information that is then encrypted to pressure victims into paying. Our observations and corresponding public reporting on the group’s recent uptick in activity since December indicate that this is a ransomware threat to monitor going into the new year. 

Targeting  

Organizations in the education vertical were most affected for the second quarter in a row, accounting for nearly 30 percent of engagements. This is also consistent with Talos IR Q1 2024 (January–March) targeting trends, where the education sector was tied for the top targeted industry vertical. 

Initial access 

For the first time in over a year, the most observed means of gaining initial access was the exploitation of public-facing applications, accounting for nearly 40 percent of engagements when initial access could be determined. This is a significant departure compared to previous quarters, where the use of valid accounts was consistently a top observed technique leveraged for initial access. While we still observed adversaries leverage compromised credentials and valid accounts to gain access, this shift is likely largely due to the number of web shell and ransomware incidents that took advantage of poorly patched or publicly exposed applications. 

Looking forward: Since early December 2024, Talos IR has observed a surge in password-spraying attacks, leading to user account lockouts and denied VPN access. These attacks are often characterized by large volumes of traffic. For example, one organization reported nearly 13 million attempts were made in 24 hours against known accounts, indicating the adversary was likely running automated attacks. This activity primarily affected organizations in the public administration sector and was likely random and opportunistic. Although adversaries have been using password-spraying attacks for credential access for years, the sheer volume of authentication attempts in quick succession is a reminder that organizations should continue to stress the importance of MFA and strong password policies to limit unauthorized access attempts. 

Recommendations for addressing top security weaknesses 

 Implement MFA and other identity and access control solutions  

Talos IR recommends ensuring MFA is enforced on all critical services, including all remote access and identity and access management (IAM) services. In addition, to defend against MFA bypass via social engineering where prompts are accepted by a legitimate user, regular cybersecurity awareness training should cover relevant and updated social engineering topics. 

We continue to see a significant number of compromises involving misconfigured, weak, or lack of MFA. This issue was present in nearly 40 percent of total engagements this quarter and, as mentioned above, 100 percent of organizations impacted by ransomware incidents did not have MFA properly implemented or it was bypassed via social engineering.  

Since compromised accounts remains a top initial access vector, consider investing in IAM sevices and User Behavior Analytics (UBA), which can help identity suspicious account usage. 

Patch regularly and replace end-of-life assets 

Talos IR also strongly recommends organizations ensure all operating systems and software in the environment are currently supported and replace those that have reached end-of-life. Unpatched and/or vulnerable software helped facilitate initial access across several incidents this quarter, and nearly 15 percent of incidents suffered from outdated and end-of-life software.  

If patching is not possible consider other mitigations, such as monitoring, especially for typical post-exploitation tools and behaviors; improving segmentation through firewalls, switch VLANs, subnetting, etc.; and disabling access to administrative shares.  In 40 percent of the web shell engagements, poor network segmentation and access to administrative shares resulted in adversaries moving laterally. 

Implement properly configured EDR solution  

Implement properly configured EDR and other security solutions. If an organization lacks the resources to successfully implement these solutions, they can consider outsourcing to a Managed XDR vendor to ensure proper configuration and 24/7 monitoring by security experts. 

Misconfigured or missing EDR solutions affected over 25 percent of all incidents for the quarter.   

Top-observed MITRE ATT&CK techniques  

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.  

Key findings from the MITRE ATT&CK framework include: 

• The use of remote access tooling, such as Splashtop or AteraAgent, was leveraged in nearly 40 percent of engagements, compared to 5 percent in the previous quarter. 
• Remote access tooling was leveraged in 100 percent of the ransomware incidents observed in Q4, a significant shift compared to that of the previous quarter. 
• This is the first quarter in well over a year in which the use of valid accounts was not the top initial access technique. Instead, exploitation of public-facing applications, largely contributed by the high number of web shell incidents, was the top means of gaining access this quarter. 

Cisco Talos Blog – ​Read More

Overview

A pair of 9.8-severity flaws in mySCADA myPRO Manager SCADA systems were among the vulnerabilities highlighted in Cyble’s weekly Industrial Control System (ICS) Vulnerability Intelligence Report.

Cyble Research & Intelligence Labs (CRIL) examined eight ICS vulnerabilities in the January 28 report for clients, including high-severity flaws in critical manufacturing, energy infrastructure, and transportation networks.

OS Command Injection (CWE-78) and Improper Security Checks (CWE-358, CWE-319) accounted for half of the vulnerabilities in the report, “indicating a persistent challenge in securing authentication and execution processes in ICS environments,” Cyble said.

Critical mySCADA Vulnerabilities

The critical mySCADA myPRO supervisory control and data acquisition (SCADA) vulnerabilities haven’t yet appeared in the NIST National Vulnerability Database (NVD) or the MITRE CVE database, but they were the subject of a CISA ICS advisory on January 23.

The mySCADA myPRO Manager system provides user interfaces and functionality for real-time monitoring and control of industrial processes across a range of critical industries and applications. CISA said the vulnerabilities can be exploited remotely with low attack complexity, potentially allowing a remote attacker to execute arbitrary commands or disclose sensitive information.

CVE-2025-20061 was assigned a CVSS v3.1 base score of 9.8 and is an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. CISA said mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information, so the vulnerability could be used to execute arbitrary commands on an affected system.

CVE-2025-20014 is also a 9.8-severity OS Command Injection vulnerability, as myPRO also does not properly neutralize POST requests sent to a specific port with version information, which could potentially lead to an attacker executing arbitrary commands.

The following mySCADA products are affected:

• myPRO Manager: Versions prior to 1.3
• myPRO Runtime: Versions prior to 9.2.1

mySCADA recommends that users update to the latest versions:

• mySCADA PRO Manager 1.3
• mySCADA PRO Runtime 9.2.1

CISA also recommended that users minimize network exposure for all control system devices and systems to ensure they are not accessible from the Internet, locate control system networks and remote devices behind firewalls, and isolate them from business networks. If remote access is necessary, additional security steps, such as an updated VPN on a secure device, should be used.

Recommendations for Mitigating ICS Vulnerabilities 

Cyble recommends several controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:

1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA is recommended. A risk-based approach to vulnerability management reduces the risk of exploitation.
2. Implementing a Zero-Trust Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated.
3. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.
4. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets.
5. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.
6. Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats.
7. All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.

Conclusion

Industrial Control Systems (ICS) vulnerabilities can threaten critical infrastructure environments, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls are critical cybersecurity practices for ICS, OT, and SCADA environments.

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by  Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.

The post ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued two urgent advisories regarding serious ICS vulnerabilities in industrial control systems (ICS) products. These ICS vulnerabilities, identified in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities, as well as B&R Automation’s Runtime software, pose online risks to critical infrastructure systems worldwide. The ICS vulnerabilities, if exploited, could lead to potentially devastating impacts on the integrity, confidentiality, and availability of systems within energy, critical manufacturing, and other essential sectors.

Schneider Electric’s Vulnerability in RemoteConnect and SCADAPack x70 Utilities

The ICS vulnerability in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities arises from the deserialization of untrusted data, identified as CWE-502. This flaw could allow attackers to execute remote code on affected workstations, leading to several security risks, including the loss of confidentiality and integrity. The issue is triggered when a non-admin authenticated user opens a malicious project file, which could potentially be introduced through email, file sharing, or other methods.

Schneider Electric has assigned the CVE identifier CVE-2024-12703 to this vulnerability, with a base CVSS v3 score of 7.8 and a CVSS v4 score of 8.5. Both versions highlight the severity of the issue, with potential consequences including unauthorized remote code execution.

This vulnerability affects all versions of both RemoteConnect and SCADAPack x70 Utilities, products widely deployed in sectors such as energy and critical manufacturing across the globe. Although Schneider Electric is working on a remediation plan for future product versions, there are interim steps that organizations can take to mitigate the risk. These include:

• Only opening project files from trusted sources
• Verifying file integrity by computing and checking hashes regularly
• Encrypting project files and restricting access to trusted users
• Using secure communication protocols when exchanging files over the network
• Following established SCADAPack Security Guidelines for added protection

CISA recommends minimizing the network exposure of control system devices, ensuring they are not directly accessible from the internet, and placing control system networks behind firewalls to isolate them from business networks. When remote access is necessary, using secure methods like Virtual Private Networks (VPNs) is strongly advised. However, organizations should ensure that VPNs are regularly updated and adequately secured.

B&R Automation Runtime Vulnerability

The second advisory concerns a vulnerability in B&R Automation Runtime, a key software used in industrial control systems. The flaw arises from the use of a broken or risky cryptographic algorithm in the SSL/TLS component of B&R Automation Runtime versions prior to 6.1 and B&R mapp View versions prior to 6.1. Unauthenticated network-based attackers could exploit this vulnerability to impersonate legitimate services on impacted devices, creating opportunities for unauthorized access.

B&R Automation assigned CVE-2024-8603 to this vulnerability, which is identified as CWE-327. The CVSS v3 base score for this flaw is 7.5, indicating a moderately high risk to the affected systems. This vulnerability is especially concerning as it is exploitable remotely, with low attack complexity, making it a viable target for attackers seeking to compromise ICS environments.

The affected products are used worldwide, primarily in the critical manufacturing sector. B&R Automation has released an update (version 6.1) that corrects the issue, and users are strongly encouraged to apply this update to mitigate the risk. In the meantime, CISA recommends several mitigation strategies to limit exposure, including:

• Applying the update to B&R Automation Runtime and B&R mapp View products as soon as possible
• Minimizing network exposure for all control system devices to prevent direct internet access
• Implementing firewalls and isolating control system networks from business networks
• Utilizing VPNs for remote access while ensuring that VPNs are kept up-to-date and secure

Conclusion

While no known public exploits targeting these vulnerabilities have been reported to CISA at the time of publication, the discovery of these flaws in Schneider Electric and B&R Automation products highlights the ongoing risks facing critical infrastructure sectors. Exploiting vulnerabilities in ICS products can lead to serious consequences, including data breaches, operational disruptions, and physical damage to infrastructure.

These incidents emphasize the urgent need for organizations to adopt proactive cybersecurity measures, such as regular patching, file integrity verification, and secure network configurations. By following CISA’s guidance and implementing comprehensive defense-in-depth strategies, organizations can better protect their systems from both known and emerging threats, ultimately reducing their exposure to cyber risks and ensuring the security of critical assets.

References:

• https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-06
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-01

The post New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems appeared first on Cyble.

Blog – Cyble – ​Read More