Hacked Without a Trace: The Threat of Fileless Malware

Finger Pointing to Malware Virus

UNDERSTANDING FILELESS ATTACKS

Malware. The word alone makes us all cringe as we instantly relate it to something malicious happening on our computers or devices. Gone are the days when we thought the easiest way to protect our computers was to install the latest anti-everything. But today’s hackers no longer depend on victims downloading an infected file – they are now leveraging fileless malware.


Fileless attacks are a growing concern. In the first half of 2019, fileless attacks grew by 256 percent. In 2020, these attacks have become the most dangerous cybersecurity threat to endpoints.

Here’s an example of how financial institutions became susceptible. In 2017, ATMs around the world were found empty, with no trace of how all the money disappeared. By using fileless malware, hackers had actually gained remote control of the computers managing the ATM machines. They knew exactly how much money each machine held and through code embedded into bank computers, the ATMs were commanded to dispense money. Once the robbery was complete, the malware deleted itself without a trace. So, how did they do it?

HACKERS INCREASINGLY LEVERAGE POWERSHELL AND WMI TO ATTACK

The latest in fileless malware leaves zero footprints as it runs on legitimate programs your computers trusts, most commonly PowerShell and Windows Management Instrumentation. What makes this attack different than viruses and trojans is that it loads directly into the memory of your CPU. This means that typical anti-malware and anti-virus software cannot detect it.

PowerShell

PowerShell is a tool in which users can automate tasks or manage configurations. Its capabilities allow you to simplify and automate tedious and repetitive tasks by creating scripts and combining multiple commands. PowerShell comes embedded in Windows’ programming but can be uninstalled. This tool is most often used by IT administrators, as it simplifies the management operations in large corporate networks.

Windows Management Instrumentation

Windows Management Instrumentation (WMI) permits administrators to gather metrics, install software, conduct updates and other tasks on the Windows operating system. Hackers can use this tool to silently run malicious code across multiple computers. Although WMI cannot be uninstalled, it can be manually disabled.

HOW DOES AN ATTACK OCCUR?

Fileless malware embeds itself into your natural web processes. It starts with clicking on a banner or a link that directs you to a webpage that requires Adobe Flash. Unfortunately, the Flash that loads is riddled with vulnerabilities that power up PowerShell or WMI and begin working behind the scenes to infiltrate your system.

WHAT DAMAGE IS DONE?

Over 68 percent of successful breaches are attributed to fileless malware attacks. If the malware gains access to PowerShell or WMI, it can move laterally across devices connected to your organization’s network. The malware is capable of exploiting applications such as Microsoft Office files and web browsers, collecting information and hindering device performance in the process.

Malware attacks also cause financial damage. Hackers pilfer corporate information through fileless malware and later requested a ransom in return for the data. The average ransom payment was $18,000.

Since this cyberattack is difficult to detect, you might be wondering how do I protect myself?

3 Tips to Protect Against Fileless Malware

  1. Avoid clicking on suspicious links or attachments. Visiting an unknown website or opening an unfamiliar file can be a gateway for fileless malware.
  2. Disable PowerShell and WMI. If you’re not using them, deactivating these tools lessens the opportunity for hackers to access your information with a fileless attack.
  3. Keep your software up to date. As inconvenient as they can be, software updates are usually done to patch critical security vulnerabilities.

Continue following Fighting Identity Crimes to get the latest breach and scam updates, ID protection news & tips from our industry experts!

Follow us on social!
Facebook | Twitter | LinkedIn 

*Originally posted November 26, 2018. Updated October 30, 2020.*

Local Commuters to Globetrotters — On-The-Go Information Security

You’re busy. You’re running errands. You’re commuting to work, to school and back home. You may also be traveling out of town – from plane to hotel and various destinations in between. With such a jam-packed schedule, you’re often making choices on the fly. Naturally, you choose convenience as much as possible.

But what about the security of your information? Are you putting yourself at risk for the sake of expediency?

Fortunately, it doesn’t have to be one or the other. You can have data security without shortchanging convenience. Continue reading

Health Insurer Anthem Hacked: 80 Million Members Exposed

Anthem

Update: 11:30 a.m. ET: Health Data Management reports that Anthem Inc. is refusing to comply with a security audit request from the U.S. Office of Personnel Management (OPM) Inspector General Office (OIG). The request comes after the data breach detailed below.

Because Anthem participates in the Federal Employees Health Benefits Program, which is managed by the OPM, they are subject to these external audits.

Anthem refused the standard vulnerability scans and configuration compliance tests, citing the audit conflict with a corporate policy prohibiting external entities from connecting to the Anthem network. In attempts to supplement their audit, OPM tried to obtain additional information about Anthem’s internal practices but received conflicting statements about their procedures.

This is the second time the organization has refused an audit request from the OPM inspector general. The first refusal came this summer before their breach was discovered. Following the initial refusal OPM adjusted the FEHBP contract to allow a certain degree of auditor access.

Update: 10:30 p.m. ET: After phishing scams plagued Anthem’s breach victims, the company finally launched an identity protection enrollment website for impacted individuals. Identity theft protection through Anthem is free and available to all Anthem members — of any age.

If your child is covered under an Anthem health insurance plan, it is wise to enroll them in this service as well. Child identity theft is one of the most detrimental forms of fraud. Because children lack any credit history, criminals can intermingle the child’s clean credit with the perpetrators name and date of birth. This process is known as synthetic identity theft.

Concerned parents should monitor their child’s credit carefully — pulling their credit reports from the three major bureaus annually. Review any existing accounts, such as treasury bonds and college savings accounts, for any discrepancies or unusual activity. Continue reading