For malware, the future is fileless.
Malwarebytes Labs released their 2019 security predictions Nov. 27, and followed up with another report, ‘Under the Radar — The future of undetected malware,’ on Wednesday. That report delves into the rapid rise of fileless malware and the difficulties of stopping it.
Staring down 2019’s most alarming cybersecurity threats won’t be the most festive thing you do this holiday season. But dodging cyber bullets is a gift, so the Business Journal talked with Malwarebytes Labs Director Adam Kujawa about what to watch for, and to Gene Stevens, CTO and co-founder of Colorado-based ProtectWise, for more predictions.
Among major threats, fileless malware looms large.
Fileless malware was estimated to account for 35 percent of all attacks in 2018, according to Malwarebytes’ ‘Under the Radar’ report, and is 10 times more likely to succeed than file-based attacks.
Here’s why hackers love it: To maximize profits, they need their malware to evade detection for as long as possible, and then to survive as long as possible after it’s discovered. Fileless malware is excellent at doing both.
“‘Under the Radar malware’ is a term we are using to describe malware and their associated attacks that are either very difficult to detect or very difficult to completely remove,” Kujawa said via email. “The danger of these types of threats is that they use sophisticated tools and tactics that put their potential damage and hiding ability somewhere between your regular malware (that is easy to detect and remove) and state-sponsored malware, developed by government organizations for the sake of disruption and espionage, where it’s often incredibly difficult to even identify their presence on a network.”
‘Wired’ describes fileless malware as “super stealthy,” and Kaspersky Labs calls it a “disembodied threat.”
With fileless malware, the execution of the malicious code takes place entirely within the machine’s volatile memory, hiding in places like the system registry, in-memory processes and service areas, and leaving no trace on the file system.
“Such an approach makes the malware considerably harder to detect, and, after the system is rebooted, very hard to trace,” a Kaspersky report said.
That’s because traditional anti-malware strategies involve scanning hard drives in search of malicious files, then flagging them for removal. It’s a plan that can’t work when there’s no file to find.
If regular malware is like a noisy and active ground cricket, Kujawa said, think of fileless malware like mosquitoes — they’re “hard to see, hurt when they hit you and are difficult to catch at times.”
The reason fileless malware attacks are on the rise, he said, “is because many security vendors today only look for spiders or ants or crickets, the attacks that ‘play by the rules,’ if you will.”
By contrast, fileless attacks “circumvent a lot of security solutions that fail to look at what is flying around them instead of what is in front of them,” he said. “Bad guys know this and they are doubling down.”
All industries are at risk.
“At the end of the day, if somebody thinks you have something valuable that they want, they will target you,” Kujawa said, “otherwise it’s a matter of attack of opportunity, where they identify misconfigurations or unpatched systems that can be used to attack the organization.”
The report gives examples of the damage next-generation malware can do.
In October, Emotet was used to spread the Ryuk ransomware throughout the network of the Onslow Water and Sewer Authority in North Carolina, and the city of Atlanta has projected it will spend $2.6 million on ransomware recovery following a SamSam attack that destabilized municipal operations in March.
The main shortcomings in traditional security solutions are that they:
• Only look for traditional data and on-disk malware files, when they should be monitoring network traffic as an indicator of compromise;
• Rely too heavily on human-created signature-based detection to identify threats based on previous malware code, missing new malware iterations; and
• Fail to watch process memory, so they miss signs that attackers are using that process memory to hide network traffic or the malware itself.
“The danger here is simple,” the report said. “More fileless malware equals more stealthy infections, and more stealthy infections equals longer periods of time before the infection is found out, allowing the attackers to do the maximum amount of damage to a system or network, be it for spying, ransoming or some other nefarious purpose.”
Kujawa said the world is at a crossroads in cybercrime that’s similar to the period when encrypting ransomware surged.
“Today there might only be a few families of malware that we call fileless or hard to remediate, however it is the new normal — and everyone needs to be ready for a fight,” he said.
Malwarebytes’ other security predictions for 2019 include:
The spread of IoT botnets: There’ll be large scale compromises of routers and IoT devices for everything from cryptomining to Trojans — and these devices are much harder to patch than computers.
More — and more sophisticated — digital skimming: Cybercriminals are going after websites that process payments and compromising checkout pages directly, intercepting information in real time.
New zero-day attacks on Microsoft Edge: Firefox and Chrome have done a lot to shore up their own technology, making Edge the next big target as it gains more market share.
Soundloggers and other attacks designed to avoid detection: Originally developed by nation-state actors, these attacks (which interpret the cadence and volume of tapping to determine which keys are struck on a keyboard) will hit businesses next.
ProtectWise’s report highlighted other trends we can expect in 2019.
The number of publicly announced supply chain attacks will continue to climb, becoming much more common against small and large organizations alike.
“Supply chain attacks are hard to guard against because they target your supply chain partner’s assets, not your own,” Stevens said. “You cannot control how your partner manages their network. This leaves your company in a position where you must protect yourself against someone you need to trust. And these days, attackers have more resources than ever before and can effectively target supply chains.”
Incidents involving the Internet of Things and Bring Your Own Device are also expected to increase.
“Effective BYOD risk management is very difficult to execute,” Stevens said. “Fundamentally, the organization does not own these devices — its employees do. And the more robust a plan is, the more likely it is to be resisted by employees as an intrusive technology. This leads to businesses underinvesting in planning and execution.
“There are a number of basic things you can do: implement strong encryption policies, enforce strong authentication controls, implement password management solutions, disable devices’ ability to automatically join networks, update these devices frequently, and partition these devices from the rest of your network. Ultimately, be sure to focus on evaluating devices and technologies for support of these concerns as part of the buying process.”
Talent shortages and hiring will continue to be the primary challenge for security teams. But businesses aren’t helpless. Stevens outlined his takeaways:
“Defend your perimeter as best you can, but also be sure to use technology that helps detect and respond to what is blocked,” he said. “Focus on the endpoint devices you can manage, but accept that you can only really control a subset of those. And focus on the network transactions themselves where you can non-disruptively secure a much larger surface. Fundamentally, hire a good team and focus on automation.”