Carbon Black recently published a report on the latest non-malware attack methods, and how to counteract them. For more information about how Cb Defense, Carbon Black’s NGAV + EDR solution, helps enterprises address their endpoint security challenges, check out our weekly Cb Defense Live Demo, every Wednesday at 2PM EST, 11AM PST.
Modern Bank Heists
Cyberattacks & Lateral Movements in the Financial Sector
Non-Malware Attack Methods
Cybercriminals are continuing to hide in plain sight and move laterally leveraging nonmalware attack methods. PowerShell(89%), Windows Management Instrumentation – WMI (59%) and Secure File Transfer Protocol – SSH (28%) were the top three “good tools” attackers leveraged nefariously to target financial institutions, according to our survey.
These “non-malware” (or fileless) attacks now account for more than 50% of successful breaches. With non-malware attacks, attackers use existing software, allowed applications and authorized protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless, memory-based or “living-off-the-land” attacks.
With non-malware attacks, an attacker is able to infiltrate, take control and carry out objectives by taking advantage of vulnerable software that a typical end user would leverage on a day-to-day basis (think web browsers or Office-suite applications). Attackers will also use the successful exploit to gain access to native operating system tools (think PowerShell or Windows Management Instrumentation – WMI) or other applications that grant the attacker a level of execution freedom.
These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that lead to valuable data.
Non-malware attacks leverage a robust suite of tactics and techniques to penetrate systems and steal data without using malware at all. They have grown in prevalence in recent years as attackers have developed ways to launch these attacks at large scale.
- A user visits a website using Firefox, perhaps driven there from a cleverly disguised spam message.
- On this page, Flash is loaded. Flash is a common attack vector due to its seemingly never-ending set of vulnerabilities.
- Flash invokes PowerShell, an operating system (OS) tool that exists on every Windows machine, and feeds it instructions through the command line—all operating in memory.
- PowerShell connects to a stealth command and control server, where it downloads a malicious PowerShell script that finds sensitive data and sends it to the attacker. This attack never downloads any malware.
Some leading attack campaigns have leveraged non-malware attack vectors to carry out nefarious actions. Almost every Carbon Black customer (97%) was targeted by a non-malware attack during each of the past two years. Their ubiquity is clear and growing.
There is a common theme why cybercriminals are increasingly leveraging non-malware attacks: they are following the path of least resistance. Financial institutions are not immune. The silver lining here is that awareness of malicious usage for tools such as PowerShell has never been higher. The fact that 90% of CISOs reported seeing an attempted attack leveraging PowerShell is a good thing. Not seeing such attempted attacks means the attacker has remained hidden.
Listen to our security experts at Carbon Black and Network Security Engineer Christopher St. Amand at PeoplesBank during a recent webinar where we discussed the benefits of cloud-based security platforms and how they apply to your specific needs.
Thanks for joining us as we explored “Modern Bank Heists,” our report on the changing landscape of cybercrime in the financial sector and how to arm your institution against a breach. You can click here to get a copy of the full report. Join us next week as we continue to profile this report.