Fileless attacks allow sophisticated hackers to evade antivirus programs and hide inside legitimate applications and operating systems. According to 2019 Endpoint Security Survey, fileless attacks on endpoints are the biggest concern of security experts. In addition, about 53% of organization experience an increase in endpoint security risks.
Endpoints are the access point into your data, credentials, environment, and probably your entire organization. Vulnerable endpoints allow attackers to steal data, access your network, and execute ransomware attacks. This article explains how attackers have improved their strategies to bypass traditional antivirus, putting your system at risk.
1. Cryptomining Malware
Cryptomining tools convert computing power into profit. Cryptocurrency mining demands a lot of expensive CPU resources. Therefore, attackers create malware and other attacks to quietly drain computing resources from victims for cryptomining.
Cryptomining attack methods include:
- Exploiting exposed AWS resources—hackers steal AWS account credentials to exploit cloud cryptomining resources, often referred to as cryptojacking.
- Browser based attacks—attackers lure cryptominers to compromised websites that look legitimate at first sight.
- Cryptomining malware—attackers use phishing campaigns to deliver malware that consumes CPU on your endpoints.
Any type of cryptomining attack can lead to a disastrous effect on your business. Attackers can turn vulnerable endpoints and clouds into silent zombie armies of cryptocurrency miners without a single antivirus alert. The only way to discover hijacked computing resources is a CPU and network performance application or extremely high AWS invoice.
2. PowerShell Attacks
PowerShell is a powerful Windows scripting language. It provides access to the inner cores of a machine. Attackers take advantage of PowerShell’s ability to run remotely through WinRMl to get through Windows Firewall and evade traditional antivirus software. As a result, cyber criminals can gain access to admin credentials and execute authorized administration actions on endpoints. This kind of attack makes data theft operations easier for attackers by reducing their reliance on malware and exploit kits.
3. RDP Session Jacking
The Remote Desktop Protocol (RDP) enables you to remotely connect to a Windows system. Usually it requires you to provide a user password before you can gain session access. However, attackers use a well known exploit to avoid the authentication process by running the tscon.exe RDP client process file as system user. When this program is run, the protocol does not ask you for a password and no antivirus alarms go off.
Publicly available RDP service connections serve as an open invitation to attackers. Therefore, you need to make sure that your gateway firewall policy blocks these connections by default. In addition, you have to allow connections only from authorized IP addresses.
4. Advanced Persistent Threats
An Advanced Persistent Threat (APT) is an attack where an unauthorized user gains access to a network or system and stays undetected for a long time. These threats often start with a phishing email to capture credentials and then move on to installing malware such as rootkits. APTs embed themselves deep into the endpoint’s operating system. Once the attacker gets root access at a kernel level, all bets are off and the system is fully under his control. As a result, advanced persistent threats can easily evade traditional methods of detection.
Recent ransomware innovations include offering ransomware-as-a-service, as well as targeting widely-used corporate cloud apps. Attackers use ransomware-as-a-service tools to generate and distribute payloads that encrypt files on computers. After the criminals get their hands on the money, they transfer a percentage of that ransom to authors of the ransomware-as-a-service. One example that easily evades antivirus is the ShurL0ckr ransomware. This type of malware targets cloud-based enterprise file sharing platforms.
How These Attacks Evade Detection
While different in nature, these attacks share some specific characteristics that help attackers avoid detection by traditional antivirus tools. The following critical steps show how it’s done.
Signature-based antivirus tools try to detect and quarantine malicious files while malware is downloaded or executed on endpoints. The problem is that modern attacks operate without downloading or executing malicious files. Instead, these attacks leverage social engineering, exploit OS vulnerabilities, and package malicious code within normal-looking files. As a result, attackers easily evade detection in the delivery process.
For example, the widespread banking trojan, Emotet, delivers malicious code as a Microsoft Office macro via email phishing. In addition, famous ransomware attacks like WannaCry and NotPetya, exploited the EternalBlue SMB vulnerability in Windows for remote code execution.
The best attack approach is to use the native components of a system against itself. Cyber attackers evade antivirus detection by using existing endpoint components like PowerShell and tscon.exe.
Endpoints provide attackers a necessary foothold into a victim’s network. Once they gain access, the next step is to move laterally through the network to find desired targets. Attackers target assets like domain admin credentials, file servers and other sensitive data. When hackers get their hands on admin credentials, they can steal and exploit data without any antivirus alerts.
A smart attacker will cover his tracks after doing the dirty work. Attackers can easily delete log files on each endpoint they use by exploiting domain admin credentials. Moreover, they can avoid leaving critical forensic evidence with one simple PowerShell script. Not a single antivirus tool is built to notice this.
To keep pace with emerging endpoint risks, you need to monitor your endpoints and automate security tools. Integrating your network, host, and security monitoring capabilities into a single platform can help you protect your system. In addition, using security automation and orchestration tools can enable you to stop attacks when they are detected.
Although the attackers covered above have found ways to bypass your security methods, they aren’t unstoppable. New technologies and practices are being refined to help keep you protected. As a next step, consider learning about threat hunting, a proactive approach to catching attacks that go undetected.