Cyber criminals are continuing to hide in plain sight by moving laterally in leveraging non-malware attack methods against financial services targets.
PowerShell (89 percent), Windows Management Instrumentation - WMI (59 percent) and Secure File Transfer Protocol - SSH (28 percent) were the top three 'good tools' attackers leveraged nefariously to target financial institutions, according to our recent survey.
These 'non-malware (or fileless) attacks now account for more than 50 percent of successful breaches. With non-malware attacks, attackers use existing software, allowed applications and authorised protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless, memory-based or 'living-off-the-land' attacks.
With such attacks, an attacker is able to infiltrate, take control and carry out objectives by taking advantage of vulnerable software that a typical end user would leverage on a day-to-day basis (think web browsers or Office-suite applications). Attackers will also use the successful exploit to gain access to native operating system tools (think PowerShell or Windows Management Instrumentation - WMI) or other applications that grant the attacker a level of execution freedom.
These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that lead to valuable data.
Non-malware attacks leverage a robust suite of tactics and techniques to penetrate systems and steal data without using malware at all. They have grown in prevalence in recent years as attackers have developed ways to launch these attacks at large scale.
An attack example follows:
- A user visits a website using Firefox, perhaps driven there from a cleverly disguised spam message.
- On this page, Flash is loaded. Flash is a common attack vector due to its seemingly never-ending set of vulnerabilities.
- Flash invokes PowerShell, an operating system (OS) tool that exists on every Windows machine, and feeds it instructions through the command line-all operating in memory.
- PowerShell connects to a stealth command and control server, where it downloads a malicious PowerShell script that finds sensitive data and sends it to the attacker. This attack never downloads any malware.
Some leading attack campaigns have leveraged non-malware attack vectors to carry out nefarious actions. A leading data security vendor reports that almost every customer (as high as 97 percent) was targeted by a non-malware attack during each of the past two years. Their ubiquity is clear and growing.
There is a common theme why cybercriminals are increasingly leveraging non-malware attacks: they are following the path of least resistance.
Financial institutions are not immune. The silver lining here is that awareness of malicious usage for tools such as PowerShell has never been higher. The fact that 90 percent of CISOs reported seeing an attempted attack leveraging PowerShell is a good thing. Not seeing such attempted attacks means the attacker has remained hidden.
Cyber security vendors are supporting the financial services industry (and other sectors) by issuing reports on the changing landscape of cyber crime and how to arm an institution against a breach. CISOs are advised to seek out these reports.