Ever heard of fileless attacks? This is malicious code gets a foothold on your server. Not through a certain file or a document, but by infiltrating the server RAM. Thus, exploiting various processes and vulnerabilities of the server software. They can do this via vulnerable web applications, specially formed requests, and so on.
The harm that a fileless attack inflicts leaves no trace since its malware does not write any files to the hard drive. Instead, it performs all malicious activities directly in RAM. After the system reboots, the malicious code disappears – but the damage has already been done to your server. This type of threat is commonly referred to as an Advanced Volatile Threat (AVT).
Some types of malicious code harm system files, some set up malicious code for other types of attacks, and others open entry points for hackers to use other server’s vulnerabilities. Both users and security solutions, like McAfee Endpoint Security, Virsec Security Platform, and others, are not tuned for Fileless attacks. Thus, making them hard to detect.
Fileless Malware Found On Various Operating Systems
On Windows servers, hackers actively use the pre-installed system Powershell to download and run malicious code. Or they can also use BAT and VBS scripts. These techniques are now widespread since you can execute them in frameworks like Powershell Empire, Powersploit, and Metasploit Framework.
As for Linux, most installed distributions like CentOS, Ubuntu, and Debian, have pre-installed software. This usually has programming languages interpreters: Python, Perl, and С compiler – a bad practice of installing an operating system on servers. Lots of hosting servers also have PHP installed because of its huge popularity. So Fileless attacks use these interpreters.
How Fileless Malware Survives on Linux
On Linux, the easiest way to run malicious code in RAM by way of fileless malware is to use shared memory. Hence, a block of RAM shared and pre-mounted in the file system. By placing an executable file in /dev/shm or/run/shm, it’s possible to run the file directly in RAM. Remember that these directories are nothing but shared memory.
However, the content of these directories can be viewed with the ls command, which works for any other directory. Moreover, these directories are usually mounted with the noexec flag and only root can run programs in them. Therefore, more intricate types of fileless malware use, for example, the memfd_create system call (in case of the C programming language).
Interpreted languages, such as Perl and Python, which are widely used in web hosting, also offer the ability to use syscall(). PHP, which is even more popular, does not have built-in techniques to use syscall. However, there are old tricks that allow using required system calls even in PHP.
Fileless Attacks Are Increasing
According to research carried out by Ponemon Institute in 2018, we should expect fileless attacks to grow and make up 35% of all cyberattacks worldwide. Consequently, there will also be a decrease of regular file-based attacks.
Fileless attacks are particularly dangerous in the corporate world since. Because Fileless malware becomes especially effective after installing in the RAM of servers active 24/7, 365 days a year. So Fileless attacks can hit any organization – like the Democratic National Committee in the US in mid-2016 for example. A hacker known as Guccifer 2.0 inserted a piece of Fileless malware into the Committee’s system and then gained access to 19,252 emails and 8,034 attachments. The document of the District Court for the District of Columbia states that Powershell scripts were used to hack the Microsoft Exchange Server of the Committee.
This intrusion resulted in the publication of a series of revelations that ended up hindering Hillary Clinton, Donald Trump’s then rival.
How to protect against Fileless attacks
Cybersecurity experts recommend the following measures to withstand the threat of fileless malware intrusion:
- A company that wants to protect its corporate cyber security has to be cyber-resilient and therefore stay informed about new kind of attacks.
- Avoid scripting languages like Powershell, because fileless malware actively exploits them. You can either delete Powershell or configure the system so that an attacker can’t exploit it.
- Use adapted solutions to detect malicious code – not just on the file system, but also in the RAM.
- Beware of Macros – they’re the most common tools on any computer and a possible entry point for fileless malware. As with scripting languages, companies don’t necessarily need to give up on all kinds of Macros. But they do need to be responsible when using them.
Fileless Attack Prevention Advice – From the Experts
Reputable sources of protection against fileless attacks stress that you need to “Keep your software up to date. As inconvenient as they can be, software updates are usually done to patch critical security vulnerabilities.” It’s one of the best practices for fileless malware protection.
As far as Microsoft products are concerned, Comparitech tell us “How to stop fileless malware”: “The main defense against any type of malware is to keep your software up to date. As Microsoft has been very active in taking steps to block the exploitation of PowerShell and WMI, installing any updates from Microsoft should be a priority.”
Ilia Kolochenko, CEO, Founder, High-Tech Bridge, speaks about the vulnerability of not keeping web applications up to date:
“It’s a very colorful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and beyond. Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security.
Most companies don’t even have an up2date application inventory. Without knowing your assets, you won’t be able to protect them. Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims.”
Our cybersecurity experts at Plesk also advocate the importance of timely and regular installation of updates. Whether on your operating system, hosting server software, web applications, or CMS plugins. Right now, it’s the best way to protect against fileless attacks. Have a look at our Change Log for the latest information and released Plesk updates, and their installation procedure.