Windows, macOS, Linux, iOS and Android: Top Cyberattacks Targeting Operating Systems
If you’re working on a home repair project, you’ll need different tools for different tasks. Sometimes you need a hammer, other times it’s a flat-head screwdriver or perhaps needle-nose pliers. And if you’re a threat actor launching cyberattacks, you also need the right tools for the job like an infostealer or maybe a trojan. There are a wide variety of options for would-be attackers to choose from, and these can vary based on the operating system (OS) being targeted.
BlackBerry threat researchers recently analyzed more than 3.7 million cyberattacks and uncovered the most prevalent attacks and tools used against specific OSes, including Windows®, macOS®, Linux®, iOS® and Android™. It’s wise to familiarize yourself with these because the average cost of a breach is increasing, again.
Cyberattacks Targeting Each Type of Operating System (OS)
The BlackBerry Threat Research and Intelligence team explored common cyber threats that target the most popular operating systems. Here are the results from the September 2024 Global Threat Intelligence Report.
Windows Focused Cyberattacks
In 2024, almost 27% of desktop PC users use Windows, as opposed to the 5.6% who use macOS and the 1.58% who use Linux. Due to their popularity, Windows systems are the most likely target for attack.
That’s why threat actors have turned to renting out their own malware or ransomware through business models like Malware-as-a-Service (MaaS). Lumma Stealer is a good example of this, as it provides cybercriminals with access to malicious software in exchange for a subscription fee. It’s no wonder it made our list of most prevalent threats to Windows. Here’s what our researchers observed in the last quarter:
Lumma Stealer (aka LummaC2 Stealer) — This is a C-based infostealer that focuses on extracting private and sensitive data from the victim’s device, including cryptocurrency wallet information and two-factor authentication and browser extension credentials. It was recently used in a campaign that used fake CAPTCHA pages to scam targets into downloading the stealer.
Agent Tesla — This is a .NET-based trojan that is often sold as MaaS and is used primarily for stealing user credentials.
RisePro — This infostealer uses several distribution methods to gain access to victims’ devices and collect sensitive data to send back to a central command-and-control (C2) server. It was initially observed in late 2022 but has shown a sharp increase in activity since the tail end of 2023 and into 2024.
RedLine Stealer — This infostealer abuses a wide range of applications and services to collect victim information such as passwords, cookies and credit card information. A new version has been observed this year, harnessing Lua bytecode capabilities.
Amadey — Amadey is another MaaS, like Lumma Stealer, observed being deployed via a fake CAPTCHA. The payload is a botnet that collects victim information and waits for commands from a C2 server to download additional payloads.
macOS Focused Cyberthreats
Go back a few years and users of Apple computers were boasting that their systems were much more secure than Windows environments. But that’s no longer the case. A growing number of organizations allow users to choose whether to work on a PC or a Mac, making devices running macOS a more frequent target for cyberattacks. Here are the top threats to look out for.
Cuckoo Stealer — Discovered and named by Kandji’s threat research team in April, Cuckoo Stealer is distributed as a malicious disk image (DMG) file that contains spyware and infostealer capabilities.
Atomic Stealer — Atomic Stealer (aka AMOS) remains prevalent since it was first seen in early 2023. The latest variants disguise themselves as various apps that are distributed via disk images. It targets and exfiltrates passwords, browser cookies, autofill data, crypto wallets and Mac keychain data.
PyPI Sliver — A malicious attack that utilizes the Python Package Index (PyPI) has been discovered by researchers. The malware utilizes the PyPI library and the technique of steganography in a Portable Networks Graphic (PNG) image file to install a Sliver C2 payload onto the target machine.
Linux Focused Cyberthreats
It’s unlikely that many of your employees are running Linux client systems. But your business is likely to have servers or network appliances that run the open-source operating system, such as network attached storage, routers or Internet of Things (IoT) devices. Here are some prevalent attacks against Linux systems encountered by our researchers:
XorDDos — The trojan XorDDos keeps coming back to haunt Linux systems. Using XOR encryption to control access to communication and execution data, XorDDos infects Linux-based devices and orchestrates them into a botnet from a C2 server.
Mirai — The venerable botnet Mirai, which was first seen back in August 2016, has now been detected utilizing an authentication bypass flaw to gain access to IoT endpoints, along with a command injection vulnerability to deliver and deploy the botnet and take over vulnerable devices.
Bashlite — Bashlite, also known as Gafgyt, is another Linux botnet like Mirai with a long history, which uses C2 servers to send instructions to be carried out by its infected devices. It has been documented targeting IoT devices such as routers, which it uses to coordinate large-scale denial-of-service (DoS) attacks against targets.
iOS Focused Cyberthreats
Thanks to their closed ecosystem, your employees’ iPhones may still face fewer threats than other devices. But these are not unheard of. One attack in particular has been recurring for a few years, although it only affects older devices.
LightSpy – Although this threat emerged in 2020 and has allegedly been patched, a new version has been detected this year. The latest version of this malware can install plugins that disrupt the operation of the iPhone. However, only iPhones using iOS versions up to 13.3 are affected, which means you’d need to be very lax about updates to be vulnerable.
A related threat against iOS devices is part of a bigger picture risk. See our blog, The Hidden Risks in Telecom Networks and How to Safeguard Your Organization, for more information.
Android Focused Cyberthreats
While iPhones experience a relatively small number of known cyberattacks, Android smartphones are a different matter. In October 2024, Google released a security update that implied up to 500 million handsets could be vulnerable. Here are the top threats to look out for:
SpyNote — This infostealer utilizes the Android Accessibility Service to capture user data and send captured data to its C2 server. In 2023, SpyNote was used to attack users of a Japanese utility company.
Vultur — Vultur has been distributed through trojan applications and “smishing” (SMS phishing) social engineering techniques, just as SpyNote was in Japan. In addition to stealing data, a threat actor can use Vultur to make changes to the file system, modify execution permissions, and control the infected device using Android Accessibility Services.
SoumniBot — SoumniBot steals banking keys and plunders victims’ bank accounts. The malware exploits a validation issue in the Android manifest and steals information that it uploads to a remote server.
Conclusion
These are just a few of the threats BlackBerry threat researchers observed across the main operating systems so far in 2024. For more actionable threat intelligence, including the full list of recent threats to each platform, read the latest edition of the BlackBerry Global Threat Intelligence Report, published each quarter.
Just as threat actors need the right tools to do their work, so do defenders. Whether it’s a white-glove approach to MDR (managed detection and response) or the top performing endpoint protection platform (EPP), reach out to see how BlackBerry can help you secure your organization.
