Thought leadership. threat analysis, news and alerts.
Fileless Cyberattacks: They're Getting More Widespread and They're Working
Reports from Ponemon Institute and McAfee Labs have shown that fileless cyberattacks are getting more widespread and they're working.
What Are Fileless Cyberattacks?
Fileless cyberattacks, also known as zero-footprint attacks, refer to cyberattacks that are meant to evade detection by avoiding to install at one stage or another malicious software (malware) on the victims’ computers.
McAfee Labsreported that there’s a significant shift by some cyberattackers toward exploiting trusted Microsoft’s proprietary programs, rather than installing external malware, to attack computers or office computer networks.
In the Ponemon Institute’s study “The 2017 State of Endpoint Security Risk”, researchers found that 77% of successful cyberattacks in 2017 used fileless techniques. The study found that fileless attacks are almost 10 times more likely to succeed than file-based attacks.
The terms “fileless” and “zero-footprint” are misnomers. Fileless cyberattacks don’t mean that they’re exclusively fileless at every stage. For instance, the attack may start with the opening of a malicious file to a spam email and once the infection starts though, the attackers may shift to fileless techniques.
Attackers can also gain access to victims' computers by compromising the victims' computers filelessly at the beginning of the attacks, for instance, by exploiting a security vulnerability that's unpatched and then once access is achieved, external malware is then installed.
Fileless cyberattacks aren’t also necessarily “zero-footprint” because fileless cyberattacks do leave traces on the victims’ computers if one knows where to look.
There’s, however, justification to the name “fileless cyberattacks” as these attacks don’t exhibit the usual symptoms normally associated with malware infection on the computer disk. As they’re asymptomatic, they’re hard to detect and as such, traditional anti-virus solutions can’t detect them.
Instead of installing the malware into the computer disk, what a fileless attack does is embed the malware in scripts or install the malware into the computer memory and never gets copied to the disk, thereby bypassing endpoint security measures such as anti-virus, which typically rely on file input/output to detect threats.
Examples of Fileless Cyberattacks
Below are examples by which attackers infect victims’ computers filelessly:
1. Fileless Cyberattacks via Microsoft’s Windows PowerShell
One of the ways by which attackers infect victims’ computers filelessly is via Microsoft’s Windows PowerShell.
Microsoft’s Windows PowerShell is Microsoft’s task automation and configuration management framework. Available on Windows 7 onward, Microsoft PowerShell allows full access to Microsoft COM (Component Object Model) and Microsoft Windows Management Instrumentation (WMI). Attackers can access Windows features using Microsoft PowerShell.
One preventive measure in protecting Microsoft PowerShell from fileless cyberattacks is by setting it to "Restricted". According to McAfee Labs, attackers can easily get around this restriction by performing “remote execution of a script by directly executing it in memory to bypass endpoint security.”
System administrators bypass the Microsoft’s Windows PowerShell restriction, in the same manner, to execute commands on office computer networks from a remote location via the internet.
2. Fileless Cyberattacks via Microsoft’s Remote Desktop Protocol (RDP)
Another way by which attackers infect victims’ computers filelessly is via Microsoft’s Remote Desktop Protocol.
Microsoft’s Remote Desktop Protocol, just like Microsoft’s Windows PowerShell, is a proprietary software developed by Microsoft. And just like PowerShell which is primarily used by system administrators, Remote Desktop Protocol is also used by systems administrators to access other computers or office computer networks from a remote location via the internet.
Attackers gain access to victims' computers via Microsoft’s Remote Desktop Protocol by simply guessing their way past weak passwords or by using popular password cracking tools. McAfee Labsreported that thousands of these Remote Desktop Protocol login details (specifically for Windows XP through Windows 10 and Windows 2008 and 2012 Server) are sold online between $3 to $19.
Once attackers gain access to your organization’s computer network via Remote Desktop Protocol, they can do anything with it such as install any malware of their choice.
In both fileless cyberattacks via Microsoft Windows PowerShell and Microsoft Remote Desktop Protocol, once attackers gain access into victims’ computers, they’re viewed as system administrators, masking the identity of the attackers, allowing them to hide in plain sight.
PowerGhost is a cryptocurrency mining malware – a malicious software that hijacks the processing power of victims’ computers. Kaspersky Lab first identified this malware.
This malware spreads across large corporate networks infecting both workstations and servers by using a number of fileless techniques, including Mimikatz, a hacking tool designed to siphon a Windows user's password out of the computer's memory.
PowerGhost propagates itself across the local network by launching a copy of itself via Microsoft’s Windows PowerShell and via the now-notorious EternalBlue exploit – a spy tool believed to be developed by the US National Security Agency (NSA) and leaked by the hacking group Shadow Brokers in April 2017. On March 14, 2017, a month before Shadow Brokers leaked the EternalBlue code, Microsoftreleased a security update or patch fixing the security vulnerability exploited by EternalBlue.
Prevention against Fileless Cyberattacks
As shown in the above-mentioned examples, attackers use a number of techniques for fileless attacks. Here are some of the preventive measures against fileless attacks:
By keeping your software up-to-date, your organization’s computer network won’t be vulnerable against EternalBlue exploit.
When you are looking to boost staff awareness and better protect your applications and infrastructure, get in touchand we will be happy to help.
How to Prevent Departing Employees from Departing with Your Organization’s Data
The practice of departing employees departing with their employers’ data has recently been highlighted in the latest case that sprung from one of the biggest tech companies Apple.
A special agent at the Federal Bureau of Investigation (FBI) recently filed a criminal complaint before the US District Court for the Northern District of California against a former Apple employee, alleging that the former Apple employee who worked as a hardware engineer on the company’s autonomous vehicle development team stole trade secrets from the company.
According to the FBI special agent, because of the former employee's role on Apple’s autonomous vehicle development project, he was granted broad access to secure and confidential internal databases containing trade secrets and intellectual property for the project.
After returning from a paternity leave, the said employee, according to the FBI special agent, resigned saying that he plans to move back to his home country and he also plans to work with another company also working in the field of autonomous vehicle technology.
The said employee turned over all Apple-owned devices and Apple's security then disabled his remote network access, badge privileges, network access and other employee accesses.
The criminal complaint revealed that data from Apple’s security team showed that days prior to his resignation, the former Apple employee’s network activity increased exponentially compared to the prior two years of his employment. On the evening two days prior to his resignation, the employee was shown via CCTV footage entering the autonomous vehicle software and hardware labs and leaving the building less than an hour later carrying a large box.
The criminal complaint also disclosed that in an interview with Apple security attorney and Apple employee relations representative, the accused former employee of Apple admitted downloading data to a non-Apple device, one that's owned by his wife, because he has "interest in platforms and wanted to study the data on his own." The accused also admitted to FBI agents of taking files from Apple’s autonomous vehicle development project and transferring the files to a non-Apple digital device, owned by his wife.
Files recovered from the non-Apple device included a 25-page document containing schematics for one of the circuit boards that form Apple's proprietary infrastructure technology for its autonomous vehicle development project.
FBI agents arrested the said Apple's former employee at the San Jose International Airport as he was about to leave the country.
Prevalence of Departing Employees Stealing or Leaking Corporate Data
The case filed against a former Apple employee is just one of the many cases of departing employees departing with their employers’ data.
In 2014, a Federal Court of Australia found sufficient evidence that a former employee of Leica Geosystems Pty Ltd copied 190,000 files from the company’s computers the day before he resigned. The files copied by the former employee included numerous source codes representing the core of the company’s intellectual property. The Federal Court of Australia ordered the said employee to pay AUD$50,000 to his former employer as fine for his misconduct.
In 2015, an employee of BlueScope, after learning she was to be terminated, downloaded 40 gigabytes of company documents. The company filed legal actions in the Federal Court of Australia and Singapore to stop the information falling into the hands of its competitors. BlueScope and the former employee reached a confidential settlement. The Federal Court of Australia, meanwhile, permanently restrained the BlueScope’s former employee from using the data that’s in her possession.
A survey conducted by Biscom showed the prevalence of departing employees departing with their employers’ data. The Biscom survey showed the following alarming findings:
Data Leak Prevention
1. Limit Employee Access to Data
Only give employees access to data needed to get their jobs done. For instance, engineers don’t need access to CRM systems.
2. Encrypt Critical Corporate Data
Ensure that critical corporate data, whether data is in-transit, at-rest and in-use, must be encrypted. Encryption ensures that even when there’s data breach, the data will remain useless.
3. Establish Regular IT Audits
While automated, preventative controls are the best defense, no technology is perfect. Establishing regular IT audits performed by an independent third-party will help you detect any outliers and detect data leaks and internal fraud early on. Such audits generally include
4. Require Appropriate Authentication for Critical Content
Accessing critical content must require not just a username and password but also multi-factor authentication. When critical content is being accessed, it also helps that approval must be secured first or an alert must be given to a compliance officer.
5. Regularly Monitor Network Activities
Unusual volume of downloaded data and non-office hours data access are examples of network activities that should be monitored. Said network activities are red flags for unauthorized activities and should be checked.
6. Keep Critical Data Offline
Don't store information vital to your organization, especially trade secrets, on any device that connects to the internet.
7. In-Person Data Security and Privacy Training
One of the means, though not a cure-all approach, of preventing departing employees from stealing corporate data is by providing an in-person data security training the moment the employee is hired.
One training session isn't enough. It's best to regularly remind employees about safeguarding company’s data by implementing a regular, formal cybersecurity awareness training. In addition to the in-person data security and privacy training, a confidentially or non-disclosure provision has to be included in the employment contracts.
8. Don’t Give Employees Administrator Privileges
Don’t give employees administrator rights for the company-supplied computers or devices. Giving them administrator privileges allows them to install malicious software (malware) that could lead to unauthorized access to information vital to your organization.
When you need help with either establishing regular IT Audits or performing data leakage assessments, help is a phone call away. Contact us today and protect your business.
DDoS Attacks: Protecting Your Business from Critical Disruption
In March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded.
How big? 1.35 terabits of traffic was hitting GitHubeach second.
Still, GitHub was not without its defenses.
Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible.
Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime.
If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse.
A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic.
They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic.
GitHub had been targeted before, with an attack lasting for six days in 2015.
A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017.
Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour.
These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose.
Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats.
Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below:
Get to know the symptoms
Recognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it.
There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself.
As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound.
However, certain other clues will tip you off:
The earlier you’re able to spot the warning signs, the sooner you can start to act.
Have a plan
Every business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption.
Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact.
Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it.
Know how to prioritize
You will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible.
Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority.
Pay attention to your network security
Conducting security audits on your network on a regular basis is an effective way to keep your system protected.
Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using?
A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked.
Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move.
Turn to the professionals
Your system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience.
Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company.
Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting.
Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization.
Steve E. Driz, I.S.P., ITCP