Installing malware through Remote Desktop Protocol is a popular attack method used by many cyber-criminals. over the past few months Panda Security’s research facility PandaLabs, has analysed several attacks of this nature.
Once credentials are obtained through brute a force attack on the RDP, the cyber-criminals gain access to the company. Attackers simply execute the corresponding malware automatically to start the encryption.
Hackers are constantly trying to find new ways to bypass cyber-security efforts, sometimes turning to older, almost forgotten methods to gain access to valuable data. Researchers at PandaLabs, Panda Security’s anti-malware research facility, recently detected a targeted attack which did not use malware, but rather used scripts and other tools associated with the operating system itself in order to bypass scanners.
2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.
Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.
The original hole was discovered by using binary code of applications that had already been verified by Apple’s developers to pass through Gatekeeper. Because Gatekeeper was developed to ensure that all applications a user downloads are checked against the application’s Developer ID, if that ID is present that application will be allowed to run. Experts have proved that this is where the problem lies as malware can easily be hidden within Apple-trusted files and then activated once the application has been installed.
Shortly after these gaps in Apple’s security features were exposed Apple released patches to prevent further breaches. However according to experts in the field it appears that the same vulnerabilities remain and can be just as easily exploited today, in the same fashion, as they were back in September. The reason being is Apple has merely blocked the files that were reported but has not made changes to Gatekeeper’s verification process. The belief is that hackers would simply need to find a new trusted file that has not been blocked by the update, this trusted file can then be abused and used to bypass Gatekeeper. Once on the other side the trusted file will execute the malicious files and then begin to install malicious programs not trusted by Apple.
The experts suggest that in order for Gatekeeper to be secure it must be triggered anytime a new process is started, requiring each process to be signed off by an Apple-trusted developer.
Apple has yet to implement such changes. With OSX’s increasing popularity making it more and more of a target for malware creators it may just be time for Apple users to consider further protection of their devices and personal data.