DDoS-for-hire services, also known as DDoS booters, or DDoS stressors, are abusing macOS systems to launch DDoS attacks, ZDNet has learned.
These attacks are leveraging macOS systems where the Apple Remote Desktop feature has been enabled, and the computer is accessible from the internet, without being located inside a local network, or protected by a firewall.
More specifically, the attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature.
When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac.
Huge “amplification factor”
But sometime this year, cyber-criminals have realized that they can abuse the ARMS service as part of a so-called “DDoS amplification attack.”
DDoS amplification attacks are one of the many forms of DDoS attacks. It’s when attackers bounce traffic off an intermediary point and relay it towards a victim’s server.
In this case, that intermediary point is a macOS system with Remote Desktop enabled.
Protocols like DNS, NTP, CharGEN, Memcached, NetBIOS, CLDAP, and LDAP are often abused as part of DDoS amplification attacks. CoAP and WS-Discovery are just the latest protocols to have joined this list. Most of these protocols are UDP-based, where UDP is a type of network packet used as the base for the other, more complex protocols. ARMS is also a UDP-based protocol.
The danger level for any of the above protocol is what security researchers call the “amplification factor,” which describes the ratio between a packet before and after it bounces off towards its target.
Most DDoS amplification attacks observed in the wild have an amplification factor of between 5 and 10. The higher the protocol, the more useful it is for attackers.
According to security researchers from Netscout, who saw the first ARMS-based DDoS attacks in June, ARMS commands an impressive 35.5 amplification factor.
Furthermore, while there’ve been other protocols with big amplification factors in the past, most of them are oddities and rarely used protocols, making them unusable for attackers.
Most of today’s DDoS amplification attacks rely on DNS and NTP, which even if they have a small amplification factor, there’s plenty of servers to go around that attackers can use to amplify their bad traffic.
Up to 40,000 macOS expose ARD/ARMS ports
However, ARMS is different, in the sense that this is the worst-case scenario, where we have a big amplification factor protocol that’s available on a large number of hosts that attackers can abuse.
A search with the BinaryEdge IoT search engine shows nearly 40,000 macOS systems where the Remote Desktop feature is enabled, and the systems reachable via the internet.
Some attacks peaked at 70 Gbps
It is unclear who discovered that the ARMS service could be abused for DDoS amplification attacks, but attacks have already happened in the real world.
Netscout spotted the first one in the second week of June. The company said the attack peaked at 70 Gbps, which is a pretty large attack.
Other attacks followed, as observed by the Keyo University Shonan Fujisawa Campus in Japan, and by Italian systems administrator Marco Padovan.
But while initial attacks were sparse, they’re now starting to pick up, according to a source in the DDoS community. The main reason is that some DDoS booters have added support for launching attacks via this protocol, this source told ZDNet.
This means that macOS systems across the globe are now being used as bouncing points for DDoS attacks.
These systems should not be reachable via the internet
According to an analysis of the BinaryEdge search results, the vast majority of these systems are on university and enterprise networks, where system administrators use the Apple Remote Desktop feature to manage large fleets of macOS systems, at a time.
These systems should not be available online, and if they need to be, then access should be restricted using Virtual Private Networks or IP whitelists.
The Apple Remote Desktop feature is the direct equivalent of Microsoft’s Remote Desktop Protocol (RDP).
In the past, hackers have brute-forced RDP endpoints to gain access to corporate networks, from where they stole proprietary information, or have installed ransomware. Similar to how crooks target companies with RDP systems exposed online, they can do the same for Mac systems with ARD.
Admins of macOS fleets should probably secure ARD endpoints to prevent these types of attacks first, and DDoS nuisance second.