A noticeable shift in the methodology for developing malware is taking place, and it can’t go unaddressed. A few years ago, attackers’ primary objective was to avoid detection – second only to making a profit. But recently, these criminals have realized a critical truth: the longer they hold an infected endpoint, the more their profit increases.
Enter fileless malware, a new approach to cyber attacks that allows invaders to evade detection far longer than traditional methods, giving them an upper hand against enterprise security defenses. These attacks are proving to be particularly useful against businesses because the majority of outdated enterprise security solutions are designed to detect file-based malware that resided on the disk, not in memory. Small to midsize businesses (SMBs) have become particularly vulnerable since some lack adequate security and IT staff to understand and protect against these threats.
Research from the Ponemon Institute found that fileless malware attacks accounted for about 35% of all attacks in 2018, and are almost 10 times more likely to succeed than file-based attacks – including Emotet, TrickBot, Sorebrect, SamSam and exploits on Microsoft’s PowerShell.
Here’s a look at four of the top malware families affecting businesses around the world, and what to expect in 2019.
Microsoft’s administrative scripting tool PowerShell can be abused to commit attacks. For example, attackers recently discovered a new method to leverage PowerShell to download and deliver malware. From there, attackers are able to launch fileless attacks directly into computer memory. This method allows bad actors to avoid detection by security vendors.
Emotet & Trickbot
Banking trojans Emotet and TrickBot are part of the new wave of next-generation malware that distributes emails with malicious documents to initiate attacks. In fact, Emotet is so prevalent that it influenced an alert from the US-CERT about the threat and its capabilities last July. The Emotet threat is most active in the United States, with Texas as the biggest target. There have also been recent upticks in the Philippines, the UK and Canada, while TrickBot is active in Australia.
It stands to reason we’ll see clones of this malware appear throughout 2019 that will affect entire networks by mutating every dropper to avoid detection.
Sorebrect is a new, entirely fileless ransomware threat that attacks network shares. By combining traditional ransomware functionality with fileless tactics, the attack becomes impossible to stop with common security solutions that watch process memory and use behavioral identification.
While Sorebrect has yet to become a significant threat across the United States and most of Europe, businesses in APAC – especially Indonesia, Thailand and the Philippines – have seen their share of devastating attacks. Many businesses there use outdated operating systems and browsers, making them an easy target for old exploits. That said, Sorebrect was discovered in several states in the US this year, including Missouri and Tennessee. Luckily, the threat hasn’t spread beyond these regions, and copycats of Sorebrect functionality have yet to appear. Nevertheless, businesses ought to keep a close eye on this infection method in 2019.
Many malware types act autonomously, but there are a handful that can be manually launched by the attacker, making the tool far more powerful. Manually controlled threat vectors are especially hard to detect because they don’t follow predictable patterns or leave the same signatures of automatic attacks. SamSam, a particularly common threat, works by breaking into a network and launching malware manually, an approach that makes the malware particularly difficult to remove because attackers also manually disable existing security software.
Research from Symantec found that the attackers behind SamSam went after 67 different targets in 2018, mostly in the United States. Attacks of this nature can be extremely costly and leave a lasting impact. For instance, the City of Atlanta spent $2.6 million on ransomware recovery following a SamSam hit which crippled a sizable part of the city’s online service. SamSam, or a variant of it, will likely continue to pose a threat in 2019.
Protecting our future from fileless malware
It’s time to take a holistic look at your current security tools and evaluate any gaps using a layered security approach. You should be reviewing your specific organization’s needs, considering things like endpoint security, firewall, email, identity access management (IAM) and security information event management (SIEM). Here are a few other steps you can take.
1) Ensure that if there are any patch updates to your security tools, they’ve been deployed to catch the latest threats.
2) Develop a protocol for responding to attacks and practice “cyber fire drills.” Businesses need a plan that is practiced and understood by all stakeholders in case of a cyber attack. This plan should cover how to quickly identify what the attack is, what information has been breached and how to secure all adjacent systems so the infection or attack is unable to spread.
3) Invest in regular, ongoing training for your employees to help them recognize the latest security threats, including phishing emails and other social engineering tactics. In addition, make sure your first responders or those with access to sensitive customer or proprietary data are well-versed in cybersecurity best practices.
Our adversaries will always look where we are not looking, finding a window whenever we close a door to a known threat. As an industry, we must continue to put ourselves in the mindset of these attackers, anticipating and developing solutions proactively, rather than reactively. If we want to protect every user’s right to a malware-free existence, we must become more agile in reducing the time it takes to identify threats and develop and bring to market new solutions that ensure our communities are protected.