5 Reasons Why You Need to Validate Security of Linux and macOS Endpoints

Huseyin Can YUCEEL  By Huseyin Can YUCEEL  •  January 02, 2023


The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


When we think of an endpoint, it is common to anticipate a device running a Windows operating system. However, individuals and organizations around the world regularly interact with Unix based systems, such as MacBooks, AWS Cloud servers, and Ubuntu, Debian, CentOS, RHEL, OpenSUSE, Debian servers, among many others. Besides Windows, the most widely used operating systems are Linux and macOS based ones, and they are utilized by millions of endpoints in organizations. Given the prevalence of Linux and macOS operating systems on endpoints, they have become prime targets for cyber threat actors and a significant part of an organization's attack surface. In this blog post, we will discuss the importance of validating the security posture of Linux and macOS based endpoints in an organization. 

Simulate Linux & macOS Endpoint Attacks with 14-Day Free Trial of Picus Platform

Why Do We Need to Simulate Endpoint Attacks for Linux and MacOS Systems?

As technology continues to advance and become more prevalent in organizations, it is essential to ensure that all systems and devices are properly secured. Here are five key reasons why organizations need to extend security validation to Linux and macOS based endpoints in addition to Windows endpoints:

1. Linux and macOS Based Endpoints Are Everywhere

Organizations rely heavily on Linux and macOS operating systems in their endpoints. According to statistics, 96.3% of the top 1 million web servers use Linux, while 15.6% of desktop computers use macOS operating systems [1][2]. With the rise of cloud computing, more and more organizations are using Linux-based systems to host their applications and data.  Cloud infrastructures are largely populated with Linux machines, with the majority of instances in leading cloud service providers (such as AWS, Azure, Alibaba, and Google) running on Linux. IDC reports that Linux has established itself as a preferred delivery vehicle for modern enterprise applications [3].

The State of Developer Ecosystem report shows that 44% of software developers have been using macOS for software development for the past five years [4]. Considering its user profile and widespread use, macOS endpoints are a vital part of many businesses and are highly attractive targets for cyber threat actors.

As we can see, there are millions of endpoint devices that use Linux and macOS, and they constitute a significant part of an organization's attack surface that must be protected against adversaries.

2. 46% of Malware Attacks Target Linux and macOS Endpoints

Linux and macOS endpoints make up a significant part of an organization's attack surface. As organizations become increasingly reliant on these endpoints, adversaries are targeting them in addition to Windows endpoints. The number of malware targeting Linux and macOS has significantly increased.

According to Trend Micro, 65% of malware families exist on and run on Linux operating systems [5]. Some notable examples include cryptominers, webshells, ransomware, and trojans. For instance, the infamous DarkSide ransomware has both Windows and Linux variants. The Linux variant of DarkSide ransomware targets ESXi servers, as it has broad access to the infrastructure and the compromise of ESXi servers could be devastating.


Figure 1: Malware Infections by Endpoint OS (2022) [6]

Despite being perceived as secure from malware, 6% of malware infections in 2022 occurred on macOS endpoints. The top 3 malware affecting macOS devices in 2022 were the XCSSET datastealer, Adload trojan, and Aobo keylogger. In addition to these malware, adversaries also abused Mackeeper, a popular utility tool, due to its extensive permissions in the installed system [6].

These statistics demonstrate that a significant portion of malware attacks target Linux and macOS endpoints, posing a threat to an organization's security and daily operations.

3. Compliance Standards Require Testing Linux and macOS Systems

In addition to the potential consequences of a compromise, it is also important for organizations to consider their compliance requirements. Many compliance standards, such as PCI DSS and HIPAA, require organizations to ensure that all systems, including Linux and macOS based systems, are properly secured. Failing to meet these requirements could result in fines and damage to the organization's reputation. Ensuring that all systems, including Linux and macOS based systems, are properly secured can help organizations meet these compliance requirements and avoid any potential penalties.

4. Cyber Threats Targeting Linux and macOS Systems Are Wildly Different

The cybersecurity community uses the MITRE ATT&CK framework as a common language to describe adversary tactics, techniques, and procedures (TTPs). The ATT&CK framework includes techniques that affect all three major operating systems. 

Operating System












Table 1: Distribution of ATT&CK (v12) techniques for OSs

However, some techniques either exclusively impact only one operating system or are implemented differently for different operating systems. For example, since operating systems use different mechanisms to store credentials, adversaries implement different procedures to steal stored credentials for different operating systems. 

python overlay_generator.py /mach_kernel ./overlays/13C64x64.overlay 64
sudo ./osxpmem -f mach ~/Desktop/out.dump
python flatten.py ~/Desktop/out.dump ~/Desktop/out.dump.flat
python vol.py -i ~/Desktop/out.dump.flat -o keychaindump
python chainbreaker.py -i ~/Library/Keychains/login.keychain -k 000000000000000000000000000000000000000000000000

Example 1: T1003 OS Credential Dumping in macOS X 10.9.2 [7]

procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
pypykatz lsa minidump /home/kali/Downloads/lsass.dmp

Example 2: T1003 OS Credential Dumping in Windows 7 [8]

Since there are hundreds of different techniques and procedures for each operating system, organizations must use different tools and procedures to recreate adversaries’ actions to fully validate their Linux and macOS endpoints. 

Validate Security Posture of Linux & macOS Endpoints with 14-Day Free Trial of Picus Platform

5. Organizations Need Comprehensive Security Strategies

When an organization only focuses on securing its Windows-based endpoints, it leaves itself vulnerable to potential breaches on other systems and devices. By extending security validation to all endpoints, including Linux and macOS based systems, an organization can have a more comprehensive and effective security strategy in place. This can help to ensure that all systems and devices are properly protected and reduce the risk of a potential breach. When an organization can demonstrate that it is taking the necessary steps to secure all of its systems and devices, and validate the security of all systems, it can build trust and confidence in its operations.


While many organizations focus on securing their Windows-based endpoints, it is equally important to also ensure that Linux and macOS based endpoints are properly secured as well. Linux and macOS endpoints are an indispensable part of the technology ecosystem and are essential for organizations to create their products, serve their customers, and conduct their daily operations. They often hold sensitive information and perform important tasks.

Since Linux and macOS endpoints make up a significant part of an organization's attack surface, they have become attractive targets for cyber threat actors.  If these systems were to be compromised, it could have serious consequences for the organization. Moreover, adversaries use different malware and TTPs to attack Linux and macOS endpoints. 

In conclusion, organizations must not only extend their security validation to Linux and macOS systems but also design new assessment strategies specifically for them. By properly securing all systems, organizations can mitigate the risk of cyber threats and ensure the continued security and stability of their operations.

#Technical #Article

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries



[1] S. Vaughan-Nichols, “​Can the Internet exist without Linux?,” ZDNET, Oct. 15, 2015. [Online]. Available: https://www.zdnet.com/home-and-office/networking/can-the-internet-exist-without-linux/. [Accessed: Dec. 21, 2022]

[2] “Desktop Operating System Market Share Worldwide,” StatCounter Global Stats. [Online]. Available: https://gs.statcounter.com/os-market-share/desktop/worldwide. [Accessed: Dec. 21, 2022]

[3] “[No title].” [Online]. Available: https://evessio.s3.amazonaws.com/customer/8c4659ee-526a-4e9c-89dc-f6f4c3c1a789/event/f3440488-719b-47e6-a453-547d6170f4ad/media/General_Content/cfb7585a-node_Ian_Pattison.pdf. [Accessed: Dec. 21, 2022]

[4] “The State of Developer Ecosystem in 2021 Infographic,” JetBrains: Developer Tools for Professionals and Teams. [Online]. Available: https://www.jetbrains.com/lp/devecosystem-2021. [Accessed: Dec. 21, 2022]

[5] “Linux Threat Report H1’ 2021: Key Security Takeaways,” Trend Micro, Aug. 23, 2021. [Online]. Available: https://www.trendmicro.com/en_us/research/21/h/linux-threat-report-hi-2021-key-security-takeaways.html. [Accessed: Dec. 21, 2022]

[6] “2022 Global Threat Report.” [Online]. Available: https://www.elastic.co/explore/security-without-limits/global-threat-report. [Accessed: Dec. 21, 2022]

[7] “Mac OS X Live Forensics 103 (Memory Analysis on OS X 10.9.2).” [Online]. Available: http://lockboxx.blogspot.com/2014/05/mac-os-x-live-forensics-103-memory.html. [Accessed: Dec. 21, 2022]

[8] P. Tavares, “Red Teaming: Credential dumping techniques,” Infosec Resources, Feb. 08, 2022. [Online]. Available: https://resources.infosecinstitute.com/topic/red-teaming-credential-dumping-techniques/. [Accessed: Dec. 21, 2022]