Why fileless malware attacks are the next big security worry

One of the most notorious hacks of recent times was the late 2017 database breach suffered by the consumer credit reporting agency Equifax, which saw huge numbers of records compromised.

Cybercriminals accessed the details of about 150 million consumers, most of them Americans but with others coming from the United Kingdom and Canada.

Equifax faced a storm of criticism over the release of what was in many cases sensitive information, and a major class-action lawsuit was launched in the United States not long after the breach occurred.

The issue has also been significant enough for the American senator Elizabeth Warren, a tough-talking consumer advocate, to deliver a volley of criticism the company’s way. Warren also asked probing questions about exactly what details had been stolen, and it turned out that everything from dates of birth to addresses to payment card details to driving licence numbers had been accessed.

And as recently as September this year, the Information Commissioner’s Office, Britain’s data watchdog, fined Equifax £500,000 over the breach, its largest possible sanction.

What characterised the hack was that it was a “fileless” attack, a name that references the fact that such incidents do not involve malware.

In this case, it exploited instead a command injection vulnerability, meaning that it allowed for remote execution of code so that external hackers could manipulate an open-source enterprise software called Apache Struts.

Also known as zero footprint, non-malware, in-memory and a host of other names, such attacks are becoming increasingly common as fraudsters look for new ways to circumvent cyber defences.

“There’s rogue code that resides in the memory and it’s very difficult to detect. That’s increasingly happening,” says Paula Thomas, a cybersecurity specialist and academic subject leader for technical and applied computing at the University of Gloucestershire in the United Kingdom.

“Anti-virus technologies are becoming quite sophisticated, so they’re able to detect all sorts of issues – there are few ways in. Whereas memory is largely unprotected – there are tools you can inject directly into memory.”

One factor in the growth of fileless attacks is the wider availability of hacker toolkits that facilitate their deployment.

Previously, the significant technological demands of launching fileless attacks meant that large and well-resourced hacking operations, such as those run by nation states, were typically responsible for them. Today, though, much smaller and less sophisticated operations run by cybercriminals, whose sights are on financial gain rather than geopolitical disruption, are often to blame.

“People have had so many problems with ransomware. Fileless attacks are a major part of the success factor,” says Nicolai Solling, the Dubai-based chief technology officer for the Middle East operation of the cybersecurity company Help AG.

“Cyber threats such as ransomware and cryptomining utilise elements of fileless attacks – all of these different things have been the latest big security issues. That’s really an indicator that this is an area that we should start focusing on.”

Plenty of statistics, such as those released by the Massachusetts-based cybersecurity company Carbon Black, back up the perception that fileless attacks are an increasing threat.

In early 2016, just a handful of a percent of attacks were said to be fileless, with malware-based deployment still far more of a problem.

In the relatively short period of time since, the situation has changed dramatically. Recent figures indicate that there is a fileless component to one in three cyber-attacks, and that more than half of all successful attacks are fileless. Indeed, some experts have said that fileless attacks are as much as ten times as likely to succeed as their file-based equivalents.

“We’re starting to use technologies like machine learning to block file-based attacks. With fileless it is a little bit easier to bypass these defences. They’ve always been there, but the growth is now definitely greater than we’ve seen before,” says Vibin Shaju, pre-sales director for southern Europe and the Middle East at the cybersecurity company McAfee.

Fileless attacks typically get through defences by exploiting vulnerabilities in apparently safe applications, such as browsers or document readers, that are already installed in a computer. That was the case with the Equifax hack.

“It completely exists in the memory. It exploits the trust and makes sure there’s no files in the hard drive,” says Shaju.

There is no doubt, then, that fileless attacks are now ubiquitous and often highly dangerous. So, what can individuals and organisations do to defend against them?

Basic housekeeping measures, especially in relation to keeping everything up to date – including operating systems, browsers and applications/software – are critical, as these can reduce the likelihood that there will be vulnerabilities that hackers can exploit.

“You can ensure that your computer’s software is securely patched, your operating system is securely patched. You need to have good anti-virus software,” says Thomas from the University of Gloucestershire.

These common-sense measures are not always followed: a patch that could have prevented the Equifax breach had been made available many weeks before the attack. It is no wonder then that Equifax’s reputation has suffered so heavily in the wake of the scandal.

Cybersecurity companies too have had to respond and adapt their technologies so that they are able to identify and neutralise fileless attacks.

“It’s been very challenging for the legacy cybersecurity vendors looking for file execution,” says Help AG’s Solling.

As an example, Solling cites the exploitation of PowerShell, Microsoft’s “task-based command-line shell and scripting language”, which allows the automation of tasks for the management of operating systems such as Windows.

“The attackers are trying to utilise functions that would turn the system against itself,” says Solling.

“If someone is able to execute PowerShell with malicious intent, you can very easily create havoc on that machine.

“When it’s executed, from a file perspective it’s completely secure – we trust the file and everything is fine around it, but the outcome of using that file, when it’s malicious, could be catastrophic.

“A normal anti-virus that looks at the content will not be able detect anything other than a PowerShell file. That’s the biggest danger of fileless attacks.”

To deal with such threats, there has had to be a change from trying to identify a specific file – a method that would not show up a threat from a fileless attack – to attempting to understand the behaviour of that file, because this can highlight that something is amiss.

Behaviour-based analysis has, as a result, been the focus of much recent research-and-development activity in cybersecurity companies.

For instance, Solling says that a particular PowerShell script could be signed, meaning that it is trusted and can therefore run, while the absence of such a signature could be used to identify cases where there is the threat of an attack.

“You might have another PowerShell script trying to run from a Word document you get from a third-party email. That’s not authorised, so it cannot run,” he says.

So, although fileless attacks represent a strengthening of the armory of cyber-attackers, their malign efforts are being met with heavy resistance.

Previous ArticleNext Article


The free newsletter covering the top industry headlines