Fileless Cyberattacks: They're Getting More Widespread and They're Working

Reports from Ponemon Institute and McAfee Labs have shown that fileless cyberattacks are getting more widespread and they're working.

What Are Fileless Cyberattacks?

Fileless cyberattacks, also known as zero-footprint attacks, refer to cyberattacks that are meant to evade detection by avoiding to install at one stage or another malicious software (malware) on the victims’ computers.

McAfee Labsreported that there’s a significant shift by some cyberattackers toward exploiting trusted Microsoft’s proprietary programs, rather than installing external malware, to attack computers or office computer networks.

In the Ponemon Institute’s study “The 2017 State of Endpoint Security Risk”, researchers found that 77% of successful cyberattacks in 2017 used fileless techniques. The study found that fileless attacks are almost 10 times more likely to succeed than file-based attacks.

The terms “fileless” and “zero-footprint” are misnomers. Fileless cyberattacks don’t mean that they’re exclusively fileless at every stage. For instance, the attack may start with the opening of a malicious file to a spam email and once the infection starts though, the attackers may shift to fileless techniques.

Attackers can also gain access to victims' computers by compromising the victims' computers filelessly at the beginning of the attacks, for instance, by exploiting a security vulnerability that's unpatched and then once access is achieved, external malware is then installed.

Fileless cyberattacks aren’t also necessarily “zero-footprint” because fileless cyberattacks do leave traces on the victims’ computers if one knows where to look.

There’s, however, justification to the name “fileless cyberattacks” as these attacks don’t exhibit the usual symptoms normally associated with malware infection on the computer disk. As they’re asymptomatic, they’re hard to detect and as such, traditional anti-virus solutions can’t detect them.

Instead of installing the malware into the computer disk, what a fileless attack does is embed the malware in scripts or install the malware into the computer memory and never gets copied to the disk, thereby bypassing endpoint security measures such as anti-virus, which typically rely on file input/output to detect threats.

Examples of Fileless Cyberattacks

Below are examples by which attackers infect victims’ computers filelessly:

1. Fileless Cyberattacks via Microsoft’s Windows PowerShell

One of the ways by which attackers infect victims’ computers filelessly is via Microsoft’s Windows PowerShell.

Microsoft’s Windows PowerShell is Microsoft’s task automation and configuration management framework. Available on Windows 7 onward, Microsoft PowerShell allows full access to Microsoft COM (Component Object Model) and Microsoft Windows Management Instrumentation (WMI). Attackers can access Windows features using Microsoft PowerShell.

One preventive measure in protecting Microsoft PowerShell from fileless cyberattacks is by setting it to "Restricted". According to McAfee Labs, attackers can easily get around this restriction by performing “remote execution of a script by directly executing it in memory to bypass endpoint security.”

System administrators bypass the Microsoft’s Windows PowerShell restriction, in the same manner, to execute commands on office computer networks from a remote location via the internet.

2. Fileless Cyberattacks via Microsoft’s Remote Desktop Protocol (RDP)

Another way by which attackers infect victims’ computers filelessly is via Microsoft’s Remote Desktop Protocol.

Microsoft’s Remote Desktop Protocol, just like Microsoft’s Windows PowerShell, is a proprietary software developed by Microsoft. And just like PowerShell which is primarily used by system administrators, Remote Desktop Protocol is also used by systems administrators to access other computers or office computer networks from a remote location via the internet.

Attackers gain access to victims' computers via Microsoft’s Remote Desktop Protocol by simply guessing their way past weak passwords or by using popular password cracking tools. McAfee Labsreported that thousands of these Remote Desktop Protocol login details (specifically for Windows XP through Windows 10 and Windows 2008 and 2012 Server) are sold online between $3 to $19.

Once attackers gain access to your organization’s computer network via Remote Desktop Protocol, they can do anything with it such as install any malware of their choice.

In both fileless cyberattacks via Microsoft Windows PowerShell and Microsoft Remote Desktop Protocol, once attackers gain access into victims’ computers, they’re viewed as system administrators, masking the identity of the attackers, allowing them to hide in plain sight.

3. PowerGhost

PowerGhost is a cryptocurrency mining malware – a malicious software that hijacks the processing power of victims’ computers. Kaspersky Lab first identified this malware.

This malware spreads across large corporate networks infecting both workstations and servers by using a number of fileless techniques, including Mimikatz, a hacking tool designed to siphon a Windows user's password out of the computer's memory.

PowerGhost propagates itself across the local network by launching a copy of itself via Microsoft’s Windows PowerShell and via the now-notorious EternalBlue exploit – a spy tool believed to be developed by the US National Security Agency (NSA) and leaked by the hacking group Shadow Brokers in April 2017. On March 14, 2017, a month before Shadow Brokers leaked the EternalBlue code, Microsoftreleased a security update or patch fixing the security vulnerability exploited by EternalBlue.

Prevention against Fileless Cyberattacks

As shown in the above-mentioned examples, attackers use a number of techniques for fileless attacks. Here are some of the preventive measures against fileless attacks:

• Keep all your software up-to-date.

By keeping your software up-to-date, your organization’s computer network won’t be vulnerable against EternalBlue exploit.

• Use complex passwords and two-factor authentication to prevent attackers’ entry.

• Eliminate unlimited login attempts by timing out IPs or blocking or locking out users that have too many failed login attempts.

• To prevent attackers’ entry via Microsoft’s Windows PowerShell, consider using Constrained Language Modeto limit PowerShell to basic functionality. This makes many fileless attacks via Microsoft’s Windows PowerShell unusable.

When you are looking to boost staff awareness and better protect your applications and infrastructure, get in touchand we will be happy to help.

How to Prevent Departing Employees from Departing with Your Organization’s Data

1. Limit Employee Access to Data

Only give employees access to data needed to get their jobs done. For instance, engineers don’t need access to CRM systems.

2. Encrypt Critical Corporate Data

Ensure that critical corporate data, whether data is in-transit, at-rest and in-use, must be encrypted. Encryption ensures that even when there’s data breach, the data will remain useless.

3. Establish Regular IT Audits

While automated, preventative controls are the best defense, no technology is perfect. Establishing regular IT audits performed by an independent third-party will help you detect any outliers and detect data leaks and internal fraud early on. Such audits generally include

4. Require Appropriate Authentication for Critical Content

Accessing critical content must require not just a username and password but also multi-factor authentication. When critical content is being accessed, it also helps that approval must be secured first or an alert must be given to a compliance officer.

5. Regularly Monitor Network Activities

Unusual volume of downloaded data and non-office hours data access are examples of network activities that should be monitored. Said network activities are red flags for unauthorized activities and should be checked.

6. Keep Critical Data Offline

Don't store information vital to your organization, especially trade secrets, on any device that connects to the internet.

7. In-Person Data Security and Privacy Training

One of the means, though not a cure-all approach, of preventing departing employees from stealing corporate data is by providing an in-person data security training the moment the employee is hired.

One training session isn't enough. It's best to regularly remind employees about safeguarding company’s data by implementing a regular, formal cybersecurity awareness training. In addition to the in-person data security and privacy training, a confidentially or non-disclosure provision has to be included in the employment contracts.

8. Don’t Give Employees Administrator Privileges

Don’t give employees administrator rights for the company-supplied computers or devices. Giving them administrator privileges allows them to install malicious software (malware) that could lead to unauthorized access to information vital to your organization.

DDoS Attacks: Protecting Your Business from Critical Disruption

In March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded.

How big? 1.35 terabits of traffic was hitting GitHubeach second.

Still, GitHub was not without its defenses.

Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible.

Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime.

If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse.

A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic.

They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic.

GitHub had been targeted before, with an attack lasting for six days in 2015.

A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017.

Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour.

These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose.

Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats.

Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below:

Get to know the symptoms

Recognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it.

There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself.

As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound.

However, certain other clues will tip you off:

• Your server delivers a 503 because of service outages

• Your employees / colleagues may notice slowness or connectivity issues if you depend on the same system for your internal software

• Excessive requests from one IP

• Unusually large amounts of traffic without reason and at odd times

The earlier you’re able to spot the warning signs, the sooner you can start to act.

Have a plan

Every business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption.

Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact.

Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it.

Know how to prioritize

You will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible.

Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority.

Pay attention to your network security

Conducting security audits on your network on a regular basis is an effective way to keep your system protected.

Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using?

A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked.

Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move.

Turn to the professionals

Your system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience.

Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company.

Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting.

Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization.