Fileless Malware, Malware-Free Attacks Form 66 Percent of All Attacks: CrowdStrike Finding
Malware strikes seem to be happening all around us; big corporates and organizations seem to shiver at the thoughts of hackers managing to go off with all their data using sophisticated malware of all kinds. Leading companies and organizations have had their systems/networks crashed, thanks to the all-pervading ransomware. But, it now seems that there is another more vexing trend that’s emerging on the horizons of cyber security.
Security firm CrowdStrike, in its annual CrowdStrike® Cyber Intrusion Services Casebook for 2017, discusses this trend, based on data gathered during the past many months. Findings by CrowdStrike suggest the rising incidences of fileless malware and malware-free attacks, which form almost 66 percent of all the different kinds of attacks happening.
In a news release that discusses the release of the Cyber Intrusion Services Casebook, CrowdStrike lists out the key findings. The following are the key findings-
- Lines between state-sponsored attack groups and eCrime threat anchors are blurring even further.
- The average attacker dwell time is now 86 days.
- Attackers now seem to go for self-propagation techniques to enhance the scope and scale of the cyber attacks.
- The use of fileless malware, malware-free attacks have increased.
- Companies now better at self-detection.
Discussing fileless malware and malware-free attacks, the release says- “The use of fileless malware and malware-free attacks made up 66 percent of all attacks. Notable examples include attacks where code was executed from memory or where stolen credentials were leveraged for remote logins.”
Such malware-free attacks happen leveraging any kind of compromised credentials or some malware that runs only in memory. A detailed post published by Ars Technica and authored by Sean Gallagher discusses this further- “Some of these attacks used malware that was implanted in the memory of a targeted system by exploiting a software vulnerability on a system reachable from the Internet as a beachhead, or they used poorly configured Web systems to gain access—and then in some cases leveraged Windows features such as PowerShell or Windows Management Instrumentation (WMI) to establish persistent backdoors and spread laterally throughout targeted networks without leaving a malware footprint detectable by traditional antivirus screening.”
It further adds- “In some cases, malware was used only as a “dropper” to introduce memory-only malware. In one incident reported by CrowdStrike, a malicious email attachment launched a PowerShell script that created a persistent simple backdoor. PowerShell commands were then used “to push out a memory-only Metasploit implant,” …Other “malware free” attacks didn’t need that level of technical sophistication—they exploited remote access tools, such as Remote Desktop Protocol servers or virtual private network connections, to gain access to victims’ networks, or they attacked externally accessible Web mail portals or cloud applications—often using credentials stolen through phishing or spear phishing attacks or other social engineering methods.”
The CrowdStrike press release makes a very notable conclusion- “In order to better protect against the sophisticated nature of threat actors, organizations must improve their resiliency in the face of ever-changing attack techniques. Relying on traditional security measures, tools and approaches is no longer effective in the face of modern cyber threats. As attacks continue to become more sophisticated and prolific, organizations must evolve their security strategies to proactively prevent, detect and respond to all attack types, including fileless malware and malware-free attacks.”
Julia Sowells250 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.