Fight Fileless Malware on All Fronts


Take a unified approach: patch and protect all elements of your ecosystem to prevent new attacks.

The Ponemon Institute estimates that more than half of all attacks against businesses in 2017 were fileless. Cyber criminals continue to find new, creative ways to disrupt organizations, and a new favorite that gained traction last year is fileless malware. No doubt, 2018 statistics, when compiled, will indicate fileless malware is among the prevalent attacks as cyber attackers exploit capabilities in Microsoft’s Power Shell, Windows Management Instrumentation (WMI) and MacOS Shell.

Cyber Criminals Love Fileless

The recent trend of fileless malware is part of a larger cybercrime story, that of attackers using a variety of scripts to introduce malware or command and control capabilities into an enterprise. PowerShell, for example, is mainly used to automate administration tasks, including managing configurations of systems and servers. It has been exploited by scripting malware families like W97/Downloader, Kovter fileless malware, Nemucod and other JavaScript downloaders.

One of the latest examples of fileless malware and script attacks was the heist of close to $1 million from a Russian bank. The cyber criminal group, known as MoneyTaker, is believed to have conducted more than 20 successful attacks on financial institutions and legal firms in Russia, the UK and the U.S. Researchers estimate a total figure of $14 million, from 16 U.S. targets, five Russian banks and one hack of a UK banking-software firm. As reported, the group used widely available tools including PowerShell, Visual Basic and the Metasploit exploit framework, plus their own custom-made fileless malware, to hack into these networks.

Why Fileless Works so Well

Fileless malware has become the darling of cyber criminals because, quite simply, it’s a no-brainer. Rather than wait for some human to open a phishing email or inadequately encrypted application, fileless malware works on what is already in your network, i.e., the day-to-day scripts enterprises use, like PowerShell, VBScript or JavaScript. It is easier to conduct an exploit and harder to detect. The malware can be executed entirely from the command line and with capabilities such as executing commands written in base 64 encoding, it may be very difficult to see the malware running. Fileless malware typically does not require downloading additional malicious files – the hacker simply executes a command with arguments on the command line. These commands however, are capable of stealing data and credentials, spying on IT environments, and leaving back doors open to further exploits. Another tactic is to exploit in-memory access and running applications, such as web browsers and Office applications to conduct malicious behavior.

A fileless infection could be malicious code or data that exists only in memory. It isn’t installed to the target computer’s hard drive. Written directly to RAM, the code is injected into a running process where it can be used for the exploit. And, since it doesn’t exist as a true file, it can often go undetected by antivirus software and intrusion prevention systems. This “zero footprint” intrusion leverages legitimate programs and data to perform desired tasks, while remaining nearly undetectable using traditional detection methods. The infection can remain live until the system is rebooted and the fileless malware is purged from the infected system’s memory, enabling attackers to steal data or download more persistent malware to use in future attacks.

Fighting Back against Fileless

Fileless malware is particularly insidious since traditional antivirus solutions simply aren’t enough of a defense. It has prompted security teams to take a multi-faceted approach to detecting threats and preventing new attacks. ‘Threat hunting’ includes actions such as log analysis of all network devices to detect threat activity like unusual domain name system (DNS) requests or suspicious registry of system file changes; establishing a baseline of approved network traffic; examining behavioral attributes of network users, and understanding baseline endpoint activity of applications and users to detect suspicious activity.

How can fileless malware be avoided? Really, the short answer is, in light of the increasing popularity of these attacks, you need to do it all – to take a unified approach, looking across your enterprise and executing threat-prevention practices wherever possible.

Here are recommended practices for a unified IT approach to fighting back against fileless malware:

  1. Patch Management is critical to preventing attacks of all kind. Make sure your endpoints and servers are contained in the patch cycle to optimize threat protection. And make those Microsoft patches in a timely fashion! For example, the Microsoft August patch list contained two zero-day vulnerabilities:  CVE-2018-8373 [Internet Explorer] and CVE-2018-8414 [Windows Shell]. Given there are known exploits, you should give these fixes top priority.
  2. Advanced Application Control prevents malicious software as well as scripts from executing. By restricting unnecessary scripting languages, you can limit the frameworks that can be used to secretly execute commands on the host system.
  3. Disable Macros and apply memory protection techniques. If you can’t disable macros, consider applying technology to digitally sign macros that are authorized for use by the organization.
  4. Most Advanced Antivirus Technology gives you the most powerful means of addressing the threat at the kernel level.
  5. Privilege Management is essential to limiting threats by giving users the exact level of rights they need to get their job done, and nothing beyond that. Following strict privilege practices helps ensure user credentials – if compromised – don’t allow cyber criminals access to OS tools that will introduce a fileless infection.
  6. Isolation Policies are also effective against fileless attacks. They can limit the reach of any fileless malware intrusion.
  7. Insight Tools can afford a better view into your most vulnerable systems, using techniques such as Web Application Firewalls (WAFs) to protect potentially exposed systems.
  8. Enforce Policies on removable devices. Locking down user devices, such as flash drives, can further prevent fileless malware exposure.

What’s Next?

“The time it takes cybercriminals to compromise a system is often just a matter of minutes—or even seconds. They don’t need much time to extract valuable data—they usually have much more than they need as it typically takes organizations weeks or months to discover a breach.” A cautionary note from Verizon’s 2018 Data Breach Investigations Report. Verizon reported that 68% of the breaches took months or longer to discover, and to add to the deficit, many breaches are discovered by customers, damaging a company’s brand reputation.

The MoneyTaker group was reported to have spent months investigating a target’s network, in order to elevate system privileges to those of a domain administrator, then to remain active inside the network following the heist.

The message here is: taking a unified approach – enforcing every possible security policy to prevent these attacks and exercising constant vigilance - is the only way to fight back against fileless malware!

About the author: Phil Richards is the Chief Information Security Officer (CISO) for Ivanti. Prior to Ivanti he has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/2yVxDvn"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more