Malware-Free Cyberattacks Are on the Rise; Heres How to Detect Them

  /     /     /  
Publicated : 23/11/2024   Category : security


Malware-Free Cyberattacks Are on the Rise; Heres How to Detect Them


Last year, 71% of enterprise breaches were pulled off quietly, with legitimate tools, research shows.



RSA CONFERENCE 2023 – San Francisco – With little more than smart reconnaissance and existing tools, adversaries are increasingly capable of compromising an enterprise network without making any noise or leaving a trace behind.
In fact, according to CrowdStrike CEO George Kurtz and president Michael Sentonas, 71% of enterprise cyberattacks in calendar year 2022 were done without malware.
At this years RSA Conference, Kurtz and Sentonas returned to the keynote stage to walk the audience through a case study of just how easily a threat actor can not just penetrate a network but also move laterally and persist without making a ripple, illustrating in stark terms the kind of challenge cybersecurity teams face trying to detect, much less mitigate, malwareless compromises.
The legendary cybersecurity duo profiled the Spider cybercrime group from the stage as a perfect example of the phenomenon.
Theyre very well prepared, and they are very well resourced, Sentonas explained. And they really like to leverage existing tools; theres no need to get fancy if you can just blend in.
First, Spider initiates an in-depth intelligence gathering effort. Kurtz said his team was able to establish the threat actor spent more than an hour on the phone with the victim companys help desk trying to get any insights that could fuel the next phase of social engineering. 
Once they had a specific user in their sights, Spider initiates a voice call informing the user their credentials had been compromised. Victims are then sent a malicious link and prompted to enter in not just their login details, but also their multifactor authentication (MFA) data. Once the user is tricked into handing those over, Spider is off and running.
We call that the layer A problem, Kurtz joked, about the user handing over the goods. Its between the chair and the keyboard.
Spider then uses the Tails operating system and Evilginx2 to compromise the users credentials to set up an AnyDesk account controlled by the cyberattackers. AnyDesk remains a popular remote desktop tool among threat actors, Kurtz added.
Spider also uses dedicated machines that hide their identity, and run their code on hardware as much as possible to avoid detection. It could be from anywhere, Sentonas said. It blends in because its not going to come from some crazy domain.
Other tools, like DigitalOcean Droplet, used as a virtual machine, fill out the attack chain. Ultimately, Kurtz and Sentonas explained, the Spider attack ends with the persistent actor set up with their own users on the network, free and able to exfiltrate data at will. And importantly, Sentonas noted, if the threat actor can get into the on-premises network, the cloud is likely going to sync and become compromised as well.
Importantly, Sentonas and Kurtz wanted to disabuse the audience of the notion that threat actors need full admin access to set up new users. They dont, and Sentonas showed exactly how just delegated permissions could allow him to move freely about the companys customer relationship management system, as well as add themselves as a SQL server admin.
In the past couple of quarters, CrowdStrike has been dealing with about one enterprise per week reeling from this type of malware-free cyberattack, Sentonas said.
When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools arent terribly useful against malware-free cyberattacks. Theres simply no malicious code to detect.
Instead, Kurtz and Sentonas urged enterprises to focus on gathering as much telemetry as possible from the
endpoint
to the cloud and managing identity down to the tiniest details.
But gathering all that
telemetry
and identity data leaves teams with vast oceans of information thats not particularly useable for threat hunting. Thats where artificial intelligence (AI) and machine learning (ML) can be meaningfully deployed to look for anomalous activity, like added user accounts, to detect malicious activity, without malicious code.
Its also important to protect the enterprise
MFA
service from compromise, they added.
Maintain good identity store hygiene, Sentonas said. And protect the services you use for MFA.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Malware-Free Cyberattacks Are on the Rise; Heres How to Detect Them