Attacks using Microsoft Office macros can be thwarted by turning off the macro functionality. In fact, it's off by default, says Tod Beardsley, research director at Rapid7 LLC. Users have to specifically agree to enable the macros in order to open these infected documents. "Some percentage of people will still open it, especially if you're spoofing someone already known to the victim," he says.
The recent Equifax breach is also an example of a fileless attack, according to Satya Gupta, founder and CTO at Virsec Systems, Inc. It used a command injection vulnerability in Apache Struts, he says. "In this type of attack, a vulnerable application does not adequately validate users’ input, which may contain operating system commands," he says. "As a result, these commands can get executed on the victim machine with the same privileges as those of the vulnerable application."
"This mechanism totally blindsides any anti-malware solution that is not looking at the application’s execution path to determine if the application is not executing its natural code," he adds. Patching would have prevented the breach, since a patch was released in March.
Earlier this year, a fileless attack infected more than 140 enterprises, including banks, telecoms, and government organizations in 40 countries. Kaspersky Labs found malicious PowerShell scripts in the registry on their enterprise networks. According to Kaspersky, detection of this attack was only possible in RAM, network and registry.
Another high-profile fileless attack, according to Carbon Black, was the hack of the Democratic National Committee. For attackers looking to stay undetected as long as possible, fileless attacks help them stay under the radar.
"We have observed a number of cyber espionage actors leveraging this technique in attempts to evade detection," says FireEye's Kittner. Recent attacks include those by Chinese and North Korean teams, she says.
A new commercial application of fileless attacks is to use infected machines to mine Bitcoin. "Crypto miners are trying to run miners loaded directly into memory, using Eternal Blue to spread hundreds of thousands of miners throughout a company," says Eldon Sprickerhoff, founder and chief security strategist at eSentire Inc.
The difficulty of mining Bitcoins has been increasing over time, much faster than the increase in the value of the virtual currency. Bitcoin miners have to buy specialized hardware and cover the electric bills, so it's getting very difficult to make a profit. By hijacking corporate PCs and servers, they can eliminate both of those costs.
Sign up for Computerworld eNewsletters.