Are fileless and Powershell attacks overtaking the other common vectors?
Ransomware is still very popular as a means to penetrate networks and generally cause mayhem. However, fileless and PowerShell attacks have become the next threat vectors to watch out for.
Fileless and PowerShell attacks are powerful vectors. Unlike many attacks carried out by traditional malware, fileless malware operations don't require the attackers to install a single piece of software on a target's machine. Instead, fileless malware attacks entail taking tools built into Windows, particularly PowerShell, and using them for malicious activity. Using legitimate programs makes detecting these attacks particularly challenging since these tools and the actions they carry out are trusted.
Many of the techniques used by fileless malware attacks have been around for a while. In-memory exploits, for instance, were prominent in the SQL Slammer worm from the early 2000s. But with the enemy developing new and sophisticated exploit kits, fileless malware attacks have become much more common.
For antivirus programs, there isn't a signature provided since no software is used in fileless malware attacks. As such, fileless malware attacks go undetected. The “enemy” just needs to hijack PowerShell or other trusted tools and use them for malicious activities.
Other security programs aren't much better at detecting these attacks, which are also referred to as non-malware attacks and living-off-the-land attacks. Since attackers use trusted programs native to Windows to execute commands, most security products automatically whitelist these activities.
What has been proved is that PowerShell is an “enemy's” tool of choice for conducting fileless malware attacks. The reason why? Simple. Distinguishing between legitimate and malicious PowerShell activity is challenging but not impossible. Research suggests that these vectors are expected to grow. As for ransomware, it might fall by the wayside or bounce back as a preferred vector for the less initiated “enemy” purely because it is tried and tested, but only time will tell.
The latest report from the endpoint security firm SentinelOne's H1 2018 Enterprise Risk Index Report, shows fileless-based attacks rose by 94% between January and June. PowerShell attacks spiked from 2.5 attacks per 1,000 endpoints in May 2018 to 5.2 attacks per 1,000 endpoints in June. Ransomware remains popular, ranging from 5.6 to 14.4 attacks per 1,000 endpoints.
It is good to be prepared and ready for the next generation of threat vectors. As I have said before, remain up to date on your threat intelligence and get to know your “enemy” because they are never far away.
Caretower has a comprehensive ability to offer help and advice on threat intelligence and threat vectors. We are also leaders in providing realistic solutions on threat intelligence and intrusion prevention as well as threat intelligence training for your team.
MIET, MBCS, Security & GDPR Specialist