Not logged in » Login
Feb 15 2017

Kaspersky: Beware of “Fileless Attacks”

Security incidents are never easy to deal with, but time and again unskilled assailants have been known to leave traces on hacked computers that enable CISOs and IT teams to protect their networks against further onslaughts – and, occasionally, to strike back. These traces typically take on the form of files that show up on a hard drive, but definitely don't belong there. However, meanwhile vicious criminals have figured out several methods to circumvent regular detection mechanisms. One of these methods is the so-called fileless attack.

The concept itself isn't entirely new, but lately, this type of attack has befallen some 140 enterprises in 40 countries, says an alert from Moscow-based security firm Kaspersky Lab that was published via its Securelist outlet last week. According to the company's previous findings, such techniques were already employed in 2015 as part of the Duqu 2.0 attack that occurred during negotiations on the Iran nuclear deal. Because the hard drives remain unaffected, forensic researchers need to examine a computer's main memory to see if an attacker has left a mark.

According to last week's alert, Kaspersky first learned about the new rise in attacks when a bank's security team turned to them for help after discovering residues of the infamous Meterpreter payload in the physical memory of a domain controller. Afterwards, Kaspersky participated in forensic analysis, discovering that standard Windows technologies, such as PowerShell scripts and the SC and NETSH utilities, were used to invade the bank's servers, acquire administrative rights, and steal confidential information like plaintext credentials and password hashes using Mimikatz. Like Meterpreter, Mimikatz is a component of the renowned Metasploit Framework, the world's most popular pentesting tool, which in this case was used for illegal purposes. Later on, the company called on members of its Kaspersky Security Network to determine how many organizations had been affected worldwide and ended up with the above numbers, noting that similar problems had occurred all over the world in locations as diverse as the United States (21 cases), France (10), Ecuador (9), Kenya (8), and Russia (7).

Per Kaspersky's account, classic anti-virus tools don't provide protection against this kind of attacks. Instead, IT departments will have to dig deeper and test whether they can find "indicators of compromise" in a Windows machine's RAM, network controllers and registry. To learn more, please refer to the Securelist alert.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now