2017 has been the year of ransomware. The global reach of WannaCry had a devastating impact. It’s presence in news outlets around the world made it so that companies and home users everywhere finally began to pay attention to the importance of cybersecurity.
While we will continue to see more ransomware attacks and other threats that use malware in 2018, our prediction is that malwareless attacks will gain momentum next year. We have already seen a few cases this year, but next year malwareless attacks will cement itself as a definitive trend to watch out for.
Impersonating the administrator
As companies and institutions invest in better security systems, cybercriminals are using increasingly ingenious methods to bypass barriers and achieve their goals. In recent months we have seen a greater number of malwareless attacks, easily detected by advanced cybersecurity tools.Often, the attackers use administrator credentials to move around on the network. This is already happening on a wide-scale basis: hacking techniques were used in 62% of the corporate security breaches reported in 2017. And in 49% of those incidents, malware was not used at all. In 2018, we predict the situation will worsen.
How Can They Attack Me Without Any Malware?
The techniques used by cybercriminals to attack without using malware can be very diverse, taking advantage of all kinds of non-malicious tools that are part of the day to day of IT managers.
Sticky Attacks for sneaking through the back door
A great example is this case detected by PandaLabs. First, the attackers resorted to a brute force attack against a server with the Remote Desktop Protocol (RDP) enabled, gaining credentials to access the device. From there, they used OS scripts and tools to move around the system undetected and install a simple back door. Why? Because even if the victim realizes that she has been compromised and changes the access credentials of the RDP, the attacker can take advantage of the sticky keys function to access the computer without entering the access credentials. Just press the shift key 5 times to activate the sticky keys and simultaneously open the back door.
As this infographic shows (below), the attack does not end there. Cybercriminals use two different ways to monetize the offensive: generate online traffic to be sold to third-party sites, or sell access to compromised computers to the highest bidder.
Using PowerShell to Mine Cryptocurrency
Another attack, recently detected by PandaLabs, uses a combination of techniques: fileless malware, PowerShell, exploits, and customized Mimikatz to install Monero mining software on compromised computers.
This attack is a clear example of how tools so essential for system administrators, such as PowerShell, are increasingly used by hackers to perform their attacks.
The solution: Threat Hunting
The rise of attacks that resort to such sophisticated methods confirms that the traditional protection model based on signature files is obsolete. Malware that could be hidden among unknown files, which a traditional security solution tends to ignore, is easily detected by latest generation advanced cybersecurity tools. This has forced cybercriminals get creative and seek more professional methods to circumvent security systems. So security solutions focused on fighting malware alone are doomed to fail.
The key to combating a malwareless attack lies in behavior-based detection. Machine learning systems will prioritize potential incidents, which are then studied in depth with remote forensic analysis tools integrated in a Threat Hunting platform. Automating as many tasks as possible leaves the Threat Hunting team with more time to investigate anomalous behavior and protect customers. This is the method we use at Panda with our Adaptive Defense solution.
We know that attackers are using more tricks to bypass malware-based detection systems. Adaptive Defense not only classifies 100% of the processes that run on all network-connected devices, but we monitor them in real time to uncover attacks such as those described above.
Learn about other cases detected by PandaLabs and more predictions for 2018 in our report.
4 comments