Take a unified approach: patch and protect all elements of your ecosystem to prevent new attacks.
The Ponemon Institute estimates that more than half of all attacks against businesses in 2017 were fileless. Cyber criminals continue to find new, creative ways to disrupt organizations, and a new favorite that gained traction last year is fileless malware. No doubt, 2018 statistics, when compiled, will indicate fileless malware is among the prevalent attacks as cyber attackers exploit capabilities in Microsoft’s Power Shell, Windows Management Instrumentation (WMI) and MacOS Shell.
Cyber Criminals Love Fileless
One of the latest examples of fileless malware and script attacks was the heist of close to $1 million from a Russian bank. The cyber criminal group, known as MoneyTaker, is believed to have conducted more than 20 successful attacks on financial institutions and legal firms in Russia, the UK and the U.S. Researchers estimate a total figure of $14 million, from 16 U.S. targets, five Russian banks and one hack of a UK banking-software firm. As reported, the group used widely available tools including PowerShell, Visual Basic and the Metasploit exploit framework, plus their own custom-made fileless malware, to hack into these networks.
Why Fileless Works so Well
A fileless infection could be malicious code or data that exists only in memory. It isn’t installed to the target computer’s hard drive. Written directly to RAM, the code is injected into a running process where it can be used for the exploit. And, since it doesn’t exist as a true file, it can often go undetected by antivirus software and intrusion prevention systems. This “zero footprint” intrusion leverages legitimate programs and data to perform desired tasks, while remaining nearly undetectable using traditional detection methods. The infection can remain live until the system is rebooted and the fileless malware is purged from the infected system’s memory, enabling attackers to steal data or download more persistent malware to use in future attacks.
Fighting Back against Fileless
Fileless malware is particularly insidious since traditional antivirus solutions simply aren’t enough of a defense. It has prompted security teams to take a multi-faceted approach to detecting threats and preventing new attacks. ‘Threat hunting’ includes actions such as log analysis of all network devices to detect threat activity like unusual domain name system (DNS) requests or suspicious registry of system file changes; establishing a baseline of approved network traffic; examining behavioral attributes of network users, and understanding baseline endpoint activity of applications and users to detect suspicious activity.
How can fileless malware be avoided? Really, the short answer is, in light of the increasing popularity of these attacks, you need to do it all – to take a unified approach, looking across your enterprise and executing threat-prevention practices wherever possible.
Here are recommended practices for a unified IT approach to fighting back against fileless malware:
- Patch Management is critical to preventing attacks of all kind. Make sure your endpoints and servers are contained in the patch cycle to optimize threat protection. And make those Microsoft patches in a timely fashion! For example, the Microsoft August patch list contained two zero-day vulnerabilities: CVE-2018-8373 [Internet Explorer] and CVE-2018-8414 [Windows Shell]. Given there are known exploits, you should give these fixes top priority.
- Advanced Application Control prevents malicious software as well as scripts from executing. By restricting unnecessary scripting languages, you can limit the frameworks that can be used to secretly execute commands on the host system.
- Disable Macros and apply memory protection techniques. If you can’t disable macros, consider applying technology to digitally sign macros that are authorized for use by the organization.
- Most Advanced Antivirus Technology gives you the most powerful means of addressing the threat at the kernel level.
- Privilege Management is essential to limiting threats by giving users the exact level of rights they need to get their job done, and nothing beyond that. Following strict privilege practices helps ensure user credentials – if compromised – don’t allow cyber criminals access to OS tools that will introduce a fileless infection.
- Isolation Policies are also effective against fileless attacks. They can limit the reach of any fileless malware intrusion.
- Insight Tools can afford a better view into your most vulnerable systems, using techniques such as Web Application Firewalls (WAFs) to protect potentially exposed systems.
- Enforce Policies on removable devices. Locking down user devices, such as flash drives, can further prevent fileless malware exposure.
“The time it takes cybercriminals to compromise a system is often just a matter of minutes—or even seconds. They don’t need much time to extract valuable data—they usually have much more than they need as it typically takes organizations weeks or months to discover a breach.” A cautionary note from Verizon’s 2018 Data Breach Investigations Report. Verizon reported that 68% of the breaches took months or longer to discover, and to add to the deficit, many breaches are discovered by customers, damaging a company’s brand reputation.
The MoneyTaker group was reported to have spent months investigating a target’s network, in order to elevate system privileges to those of a domain administrator, then to remain active inside the network following the heist.
The message here is: taking a unified approach – enforcing every possible security policy to prevent these attacks and exercising constant vigilance – is the only way to fight back against fileless malware!
About the author: Phil Richards is the Chief Information Security Officer (CISO) for Ivanti. Prior to Ivanti he has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.