J1 ​​Rapid Response: MacOS Zero-day and water-hole attack. Are you vulnerable? How to tell in minutes.

by

Zero-day vulnerabilities are the ones that place the most stress on every security team, regardless of the size of the organization. Watering-hole (also known as drive-by) attacks are another high stress item for which security teams are constantly on the lookout. Combine the two, and you have a bad day for most security teams unless they have perfect visibility into their environment and can identify the vulnerable items so the risk can be immediately mitigated.

Yesterday, November 15, 2021, saw the announcement of a coordinated campaign by nation-state actors to compromise machines using both a zero-day and a watering hole. What’s more, this is one of the attacks against MacOS that are becoming more frequent. Users are always hesitant to update their OS, but how old is too old for events like this? Which users are vulnerable? These are the immediate questions security teams ask themselves, followed by “how do we & how fast can we update those systems?” and “did they visit any infected websites?”.

JupiterOne isn’t a silver-bullet solution, but it can help security teams answer some of those questions with relative ease and reduce the pressure those teams deal with when these incidents occur. For example, if you were ingesting your endpoint metadata into JupiterOne, you could issue the following query: FIND Host WITH platform="darwin" AND osVersion < "10.16.0".

NOTE: JupiterOne compares version numbers with multiple dots lexically, which means it treats them as strings and doesn’t convert to any numbers. So alphabetically after “10”, “100” is before “11”. Since MacOS doesn’t have version numbers in the hundreds, this kind of comparison is safe, and this query works in the way it should, but be wary of comparing strings lexically in JupiterOne when dealing with version numbers in particular.

Instead of it taking the team hours to gather this information before any action plan can begin, it takes minutes to gain real situational awareness. From there an organization can develop a plan to get those endpoints updated and also focus their forensic data-gathering efforts on those endpoints to determine their exposure.  

JupiterOne Rapid Response Query for the win!

This J1 Query can be run immediately within your existing J1 account. If you don’t have an account yet, sign up for the free lifetime license and see where you stand against the watering-hole attack.

Kenneth Kaye
Kenneth Kaye

Kenneth is a graduate of West Point with a degree in Computer Science, and a passion for making things easier using technology. He learned how to manage telecommunications and encryption systems, to perform full spectrum penetration tests, and lead teams in the Army before he joined the private sector. Since then Kenneth has fed his insatiable curiosity by actively taking on new roles whenever possible to continue his quest to specialize in being a generalist.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.