santiago silver - Fotolia

Cyber criminals increase use of fileless attacks

Fileless attacks are increasingly popular with cyber criminals, while Russia and China top the league of nation state data exfiltrators, threat data shows

With the exception of direct or raw IP addresses, cyber attacks using PowerShell, a legitimate administration tool, represent 5.65% of all threat vectors. This proportion increases to 9.24% of attacks when data exfiltration by country threats is excluded.

This is one of the key findings of the Q1 2019 Global threat statistics report by security firm BlackFog, based on threat statistics on a global basis during the first quarter of 2019 observed across Windows, Mac, Android and iOS clients.

With the increased sharing and sophistication of cyber criminal networks, working code is quickly exploited, resulting in an increase in the use of PowerShell and other fileless attacks, the report said.

These attacks use applications already installed in a computer and considered safe and do not need to use malicious software (malware) or files to initiate an attack.

Fileless malware attacks exist in a device’s memory and will typically access and inject malicious code into default Windows tools, such as PowerShell and Windows Management Instrumentation (WMI).

This makes fileless attacks difficult to prevent and detect because there is no detectable signature, enabling attacks to bypass malware signature-based or whitelist-based security systems.

However, the BlackFog statistics show that the lion’s share of attacks (48.8%) were associated with direct IP addresses, which provide an easy way for cyber criminals to obfuscate an attack and anonymise their location.

“Unfortunately, some legitimate applications still employ direct IPs instead of using common domain names,” the report said. “There is no reason this should be employed in a working application, unless the vendor is trying to also hide their actions.”

The dark web continues to provide a network for cyber criminals to steal data and evade detection, the data shows. This underground network is routinely used to transact and exchange data with other cyber criminals, representing 3.9% of attacks in the first quarter of 2019.

Other key threat contributors are spyware and ransomware, which contributed 2.6% to the total number of threats in the first quarter of 2019.

Darren Williams, founder and CEO of BlackFog, said that as technology and privacy converge, businesses and individuals must be vigilant in protecting their personal information.

“Our data clearly shows that cyber criminals and hackers are growing more sophisticated by the day,” he said, “increasingly leveraging complex techniques such as PowerShell and fileless attacks – making it critical that businesses and their employees deploy the right technologies to protect themselves from the current threats we are seeing.

“The fact is that hackers will always be able to get in – the key is to prevent them from taking any data out.”

In terms of nation-state data exfiltration threats, the data shows a significant focus by both Russia and China to exfiltrate data back to servers within their borders during the first quarter of 2019.

This represented 20% of total threats and 50% of threats by all other countries combined. Russia’s share was largest (15.5%), while China accounted for 4.1% of the global total, but this does not include anonymised, advertising or profiling servers, which BlackFog said would increase these numbers significantly.

Read more on Hackers and cybercrime prevention

Data Center
Data Management