Kaspersky Lab's Global Research & Analysis Team spotted something unusual recently: more than 140 global enterprises have been hit by 'fileless attack' where threat actors use anti-forensic techniques to evade detection.
Not very well, you may say, as Kaspersky managed to detect them. However, glib remarks aside, these incidents point to a seriously worrying threat scenario used by advanced actors to exfiltrate data before they are spotted.
What's happening is that the attackers are embedding PowerShell into the registry as a method of downloading the Metasploit 'Meterpreter' payload directly to RAM. This has enabled them, long story cut very short, to control any PowerShell infected host from remote tunnels.
You can see the full description at SecureList and we recommend you do read it in order to get a grip on exactly how clever attackers are being here.
Kurt Baumgartner, principal security researcher at Kaspersky, told SC Media that while researchers have seen Meterpreter used before, this particular combination has been very effective against multiple enterprises. "This is something new," Baumgartner says, "especially on the global scale that we're seeing."
Andy Norton, Risk Officer (EMEA) at SentinelOne, agrees that the trend of fileless based attacks is escalating. "We have monitored the attacks that are successful in making it to their enterprise endpoint targets," Norton told SC Media, "and there is roughly a 33 percent split in the type of attack that attackers are now using."
Traditional executable file based attacks make up one third, document based attacks comprise another and fileless-based attacks make up the final third according to SentinelOne.
Which begs the question, if enterprises are being hit by advanced attackers using anti-forensic tools and techniques along with memory-resident malware that vanishes with the first system reboot, just how does the enterprise mitigate against this risk?
Norton told SC that "enterprises need to incorporate security that instruments every system" and went on to explain that this would mean "behaviours emanating from any part of a system can be identified and mitigated".
Behavioural-based defence is certainly where the focus should be, according to Giora Engel, co-founder and chief product officer at LightCyber. "Being focused only on the endpoint will cause myopia and minimise one's ability to find active attackers," Engel told SC, adding, "Organisations should look for unusual attack behaviours in the network."
The network approach focuses on the actual behaviour and doesn't distinguish between memory resident and file-based malware. "It can even detect completely malware-less attacks by insiders or external attackers that are already inside the network," Engel concludes.
This should come as no real surprise, as Brian Laing, VP of products at Lastline pointed out. He said, "All malware, regardless of how new it is, the evasive techniques it deploys, or where it resides, must actually do something at some point to be destructive..."