Skip to content
Virus-free

“Malware-free” attacks mount in big breaches, CrowdStrike finds

Stolen credentials, exploits of command-line tools used in 66 percent of attacks.

Sean Gallagher | 23
Hacker stock photos FTW. Credit: Thinkstock Photos
Hacker stock photos FTW. Credit: Thinkstock Photos
Story text

Despite the rise of massive crypto-ransomware attacks, an even more troubling trend emerged in data gathered by the security firm CrowdStrike this past year and published in the company’s 2017 “Intrusion Services Casebook.” The majority of attacks the company responded to did not leverage file-based malware but instead exploited a combination of the native software of victims’ systems, memory-only malware, and stolen credentials to gain access and persist on the targeted networks. And the average attack persisted for 86 days before being detected.

“We found that 66 percent of the attacks we had investigated were file-less or malware free,” said Bryan York, director of services at CrowdStrike, in an interview with Ars. “These attacks had either leveraged some sort of compromised credentials or some sort of malware that runs in memory only.”

Some of these attacks used malware that was implanted in the memory of a targeted system by exploiting a software vulnerability on a system reachable from the Internet as a beachhead, or they used poorly configured Web systems to gain access—and then in some cases leveraged Windows features such as PowerShell or Windows Management Instrumentation (WMI) to establish persistent backdoors and spread laterally throughout targeted networks without leaving a malware footprint detectable by traditional antivirus screening. “Obviously, memory-only malware is pretty challenging to protect against,” York said.

Some of these attacks have blurred the distinction between criminal activity and state-actor attacks—largely, York said, because of the awareness of tactics used by state actors filtering into the criminal hacking community thanks to factors such as the Shadowbrokers leak of NSA tools. This problem obviously extends to malware-based attacks, as demonstrated by ransomware attacks this year that used self-propagation methods based on tools from the Shadowbrokers leaks.

In some cases, malware was used only as a “dropper” to introduce memory-only malware. In one incident reported by CrowdStrike, a malicious email attachment launched a PowerShell script that created a persistent simple backdoor. PowerShell commands were then used “to push out a memory-only Metasploit implant,” CrowdStrike researchers wrote in the 2017 Casebook report. “Tracing backward, it became apparent that this PowerShell code stub had been pushed to all point-of-sale (POS) systems on the client’s network of more than 14,000 systems and 160 controllers. Further review of the implant revealed it to be RAM-scraping malware.”

Other “malware free” attacks didn’t need that level of technical sophistication—they exploited remote access tools, such as Remote Desktop Protocol servers or virtual private network connections, to gain access to victims’ networks, or they attacked externally accessible Web mail portals or cloud applications—often using credentials stolen through phishing or spear phishing attacks or other social engineering methods.

“One of the things I saw this year was an uptick, when it comes to wire fraud, in leveraging compromised credentials to log in to Office 365 and Outlook Web Access systems,” York said. “Often they start from some sort of a phishing exercise where they steal someone’s credentials. That’s a huge trend in wire fraud—last week, a client lost $3 million in a series of three transactions in that sort of attack.”

The most common initial attack methods in the more than 100 cases CrowdStrike responded to in 2017—vulnerable Web services led the pack.

In the more than 100 cases that CrowdStrike investigated this year, the company’s investigators found that attackers had an average “dwell time”—the time between their initial compromise of a network and their detection—of 86 days. “That’s a downtrend,” York noted. “Last year we were somewhere in the hundreds of days before detection”—a figure similar to those reported by other researchers.

The decrease in dwell time is indicative of the results of greater investments internally by companies in technology and staff dedicated to monitoring for malicious activity. That’s also reflected in the higher percentage of attacks that were detected by the targeted organizations themselves—68 percent, up 11 percent from last year’s CrowdStrike figures. But there are still cases where attackers have been inside networks for many months (or even years) before the compromises were detected, and a significant percentage of attacks are still only uncovered through notification by a third party—a customer, a bank, a payment processing company, or law enforcement.

Listing image: Thinkstock Photos

Photo of Sean Gallagher
Sean Gallagher IT Editor Emeritus
Sean was previously Ars Technica's IT and National Security Editor. After over 20 years in technology journalism, including over 9 at Ars, he pivoted to cybersecurity threat research, first at Sophos and now as a security research engineer at Cisco ‘s Talos Intelligence Group. A former Navy officer, he lives and works in Baltimore, Maryland.
23 Comments
Prev story
Next story