Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/14/2018
10:30 AM
Itay Glick
Itay Glick
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Fileless Malware: Not Just a Threat, but a Super-Threat

Exploits are getting more sophisticated by the day, and cybersecurity technology just isn't keeping up.

It's almost like something out of Star Trek. Imagine an alien who can see you, but whom you can't see — one who has violence on his/her/its mind. A punch coming from out of nowhere; a vase flung at your head with no one seemingly throwing it; a punch to the gut, then a karate chop to the neck, maybe a blast from an (also invisible) ray gun, and you're down for the count. How would you fight it? How could you fight it?

Those invisible aliens may not have landed on earth just yet, but invisible malware — called fileless malware or in-memory malware — is wreaking havoc and bringing intergalactic war-style destruction to IT systems the world over. Like an invisible alien, fileless malware can strike from multiple directions, without victims even being aware they were targeted, until it's too late. Fileless malware — in which hackers call malware routines remotely and load them into memory in order to compromise or steal data — is not new, but hackers increasingly have turned to that type of attack. According to McAfee, fileless threats with PowerShell malware grew by 119% in the third quarter of 2017 alone, and they have been such a rousing success that hackers plan to greatly expand their use this year, security experts are convinced.

But fileless malware is just one of numerous threats and attacks that are now in vogue; 2018 could see more and more challenging cyberattacks, experts believe. With cryptocurrencies so popular now, hackers have begun using botnets to create the computing power needed to mine coins. AI has helped hackers develop more effective social engineering messages, "weaponizing" big data and AI to convince hapless victims to open spear-phishing messages more frequently by matching the message with the personality of the recipient. And botnets that control infected devices, commanding them to infect even more devices — a "swarm effect" — will allow hackers to grow their networks of compromised devices and systems exponentially.

Add to all that the major security risks that come in the form of the Meltdown and Spectre exploits, which affect almost every person and organization that uses a computer, smartphone, tablet, or any other device, and you have the makings of what could be the most challenging year ever for cybersecurity. Attacks are likely to come fast and furious from all directions — and there's little doubt that these new attacks, like fileless malware, will overwhelm any existing cybersecurity protocols.

Let's take a closer look at fileless malware. How would an IT team fight it? Fileless malware actually does come in the form of a file — but it's an innocuous file that for all the world looks like a legitimate Word or Excel file. It has no malware features that antivirus systems could catalog and blacklist; it has no suspicious profile that a sandbox could analyze and ban for improper behavior. All it contains is a link that, once clicked, allows for the remote loading into memory of remote malware, enabling macros that call the malware and install it via a PowerShell script.

The macro itself contains a link that is activated when the macro is activated, meaning that the macro will pop up and ask the user to click on a link. The macro calls this link remotely only when it is loaded into memory, so there is no suspicion of a security problem when the file itself passes through the sandbox. There is nothing for it to inspect. That, in fact, is exactly what South Korean researchers discovered in December, as they examined email messages that contained documents that loaded and installed malware in this manner.

Options Are Few
There is no way the current crop of cybersecurity systems — be they antivirus systems, sandboxes, or anything else — could possibly identify those files as a malware scam. The best they can do is allow documents only from verified sources (websites, email addresses) — but even that is no sure-fire guarantee; who's to say that the sender hasn't been compromised without his knowledge?

What's left? Closing off the Internet altogether? Hand-vetting each and every file, document, link, or anything else that comes to the organization? Both those ideas, obviously, are impractical. The only solution is a system that can see "inside" these files — evaluating the file, the macro inside, and determining if it's safe to send the file through as is. Even better would be if the system could remove the offending macros, and then passing on a clean version to users, who would be able to use the file without fear.

The bottom line is that in order to pull off an exploit, hackers have to be able to deliver their wares in some form — even in a "fileless" form. If there's one thing that won't be different about this year, it's that, like last year and 10 years ago, hackers must have a hook on which to hang their exploit hats. Those exploits are getting more sophisticated by the day — and cybersecurity technology is just not keeping up. There's only one way to confront and beat invisible aliens — using X-ray specs that let the wearer see exactly what she is up against. Where are the X-ray specs that will reveal the specialized tricks hackers are successfully using nowadays? That's a question we need to answer — and soon.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Itay brings to Votiro more than 15 years of executive management experience in cybersecurity at global technology companies based in the U.S., Europe, and Asia. Prior to co-founding Votiro, he played a key role in managing the development of equipment for the lawful ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.