Cyberattacks on banks and others have seemingly disappeared, making them all the more dangerous.
Malicious software, the type criminals use to steal online banking login credentials from customer or employee desktops, has been getting more stealthy and effective over time, as its authors get progressively better at evading antivirus and antimalware programs.
But there’s an emerging generation of malware that’s even sneakier. It’s not only designed to escape detection, it can lurk in computer memory or a legitimate computer tool, where normal security software can’t see it.
Malicious code that runs in memory is called “fileless.”
Such attacks are increasing “because they are much harder to detect than file-based malware,” said Rick McElroy, security strategist at the security company Carbon Black. “Traditional antivirus … is designed to stop only file-based malware. It does nothing to stop the more advanced, nonmalware attacks. Attackers have quickly realized this.”
Another, more invasive version of this is “malware-free intrusions,” where the adversary embeds its attack script in legitimate tools already present in the environment.
“You cannot block them because they’re used for legitimate purposes in your environment, but they’re being compromised to assist in the intrusion for nefarious purpose,” said Dmitri Alperovitch, co-founder and CTO of CrowdStrike, the security company brought in to investigate the hack on the Democratic National Committee.
Most existing antivirus and whitelisting technologies cannot cope with these attacks because they’re looking for malware and there’s no malware for them to find, he said.
“Even some next-gen capabilities like machine learning aren’t able to deal with this because there’s nothing to analyze in machine learning,” Alperovitch said. “What you really need is a behavioral system that can look at what is going on. If someone tried credentials, even if they’re using legitimate tools to accomplish it, that behavior is still malicious.”
The terms “fileless” and “malware-free” may evolve over time. But they represent a genre in cyberattacks that banks need to watch.
An early example of so-called fileless malware was the Target breach.
“The cybercriminals put their code in memory and didn’t write anything to disk,” Avivah Litan, Gartner vice president, explained. Target was "PCI compliant, so to speak, and the antivirus programs generally can’t catch anything that’s just in memory.”
The size and celebrity of that case made such attacks more popular, Litan said.
A more recent example was the Russian hack of the Democratic National Committee. That attack was carried out almost entirely using PowerShell and WMI, Alperovitch said. (Powershell is a Microsoft task automation and configuration management framework. Windows Management Instrumentation, or WMI, is a set of specifications from Microsoft for consolidating the management of devices and applications in a network.)
Some experts believe this type of attack is overtaking traditional malware.
“The really advanced criminals are using it — state actors, heads of crime gangs,” Litan said. “Incidences are going up, some people say by 15% to 20%. It’s definitely on the increase and it will probably surpass the majority within a year.”
Research from Carbon Black has found that 97% of organizations were targeted by a nonmalware attack in 2016.
Not everyone agrees about the size of the threat in the scope of overall cyberattacks.
“We are seeing a rise in fileless malware,” said Jon Miller, chief research officer at the security firm Cylance. “However, traditional portable-executable-based malware is still outnumbering fileless attacks by a factor of over 100 to one.”
However, banks are specifically being targeted by the newer attack type. Carbon Black’s research found more than 40% growth in attacks targeting financial institutions in 2016. “Attackers are very adept at following the money,” McElroy said.
How fileless and malware-free attacks work
Most cyberattacks on banks start with phishing—convincing-looking emails with malicious attachments. Bank IT departments usually aim to put those attachments in a sandbox, where they can be evaluated in a safe place.
The newer, fileless versions are encrypted and have program logic that can detect they’re in a sandbox and, understanding what a sandbox looks for, won’t run. To IT, they look like benign Word attachments or PDF files.
“The criminals have figured out all the most common controls that are put in, including file-based antimalware and sandboxing and detonation,” Litan said. “They work real hard to write malware to defeat that.”
An antidote to this is alternative technology called content destruction and reconstruction or regeneration. It strips any suspect content out of an email attachment and just delivers the safe piece.
Cyberattackers also know that typical antimalware tools look for files that have been written to disk. By writing the attack in memory or burying it in a registry, they fly under the radar.
Newer endpoint detection and response tools from companies including Cylance, Carbon Black, CrowdStrike, Fireeye and Tanium are designed to detect the newer attacks. The more traditional antimalware providers like McAfee, Symantec and Trend Micro are also modifying their software to detect this threat. All are adding memory protection and memory inspection. Some also have behavior monitoring.
CrowdStrike’s software profiles everything that’s happening on a machine, Alperovitch said.
“The analogy often used is, how do you know somebody’s robbing the bank?” he said. “Well, if they get inside the vault and take the money and they leave with that money, that’s a bank robbery. If you’re focused just on the techniques they’re using, you’re going to miss something. If you’re only looking for people blowing up the vault with dynamite while someone comes in and puts a gun to the clerk’s head and asks them to open up the vault, it’s going to be missed.”
If someone is trying to convert all files in disk and encrypt them, the way ransomware would, it doesn’t matter whether there’s a file or not, that behavior indicates someone is attempting to install ransomware on your machine.
Four out of the five top banks in the world are CrowdStrike customers, Alperovitch said.
What banks can do about it
When it comes to attacks on customers’ desktops, banks of course don’t have any control. They invest heavily in fraud detection, so they can at least look for signs of fraudulent transactions.
When it comes to their employees, they do control the endpoints and try to keep them clean. But here again, in case they miss something, they can use advanced analytics to look for unusual behavior.
Miller pointed out that most fileless attacks use scripting languages to perform malicious actions. “Organizations should evaluate which scripting languages can operate on their endpoints, and use that information as a base to reduce their threat surface,” he advised.
Banks are also starting to adopt deception technology and decoys, Litan said. One vendor she met with recently offers software that puts deceptive documents on a bank’s file share with fake customer information. Then they’ll look to see if that information has been leaked by scanning the web.
Also in the category of deception, some endpoint security programs will look for malware that’s asking questions and will trick it, so if it asks if it’s in a sandbox, it will reply no.
“There’s all these little tricks going on,” Litan said.
There are several lessons banks could learn from the DNC attack, Alperovitch said. The first is to have technology that would block such attacks as a defensive move.
Banks should assume they’ve been hacked and do a compromise assessment. And they should try to get full visibility across their environment.
“Have a plan and know that there are threats out there that you will have to face,” Alperovitch said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.