Detecting and Stopping Fileless Attacks

Virsec has gained the attention of several technology analysts and the press for our unique ability to detect file-less attacks. You can view these recently published articles here. This heightened market awareness comes on the heels of the CRN announcement at RSA 2018 recognizing Virsec as one of the few vendors who “does a good job in detecting the entire range of fileless attacks.” The cybersecurity industry has been focused on fileless attacks for some time now, so it is natural for people to muse over how Virsec’s solution guards against these attacks and what makes us fundamentally different from other vendors, like EDR and EPP, in this space.

In discussing fileless attacks, I think it first warrants a bit of education around the term ‘fileless.’ Virsec protects server-side applications, which is what we focus on in this discussion. In our view, fileless attacks or fileless malware stem from the intent of the attacker to launch tool kits or malicious code directly from memory in an effort to get in without placing any malware on the system. Fileless attacks on a server typically exploit a vulnerability in Webservers, such as the Apache Struts vulnerability, to gain initial entry. Once the initial compromise is done, system tools are used to dump passwords (Mimikatz, etc), that allow greater and easier privileged access and control. The attacker can then use methods like Remote Desktop Protocol (RDP) to move laterally to land on the most high-value server assets in order to affect services and exfiltrate data.

In attempts where attackers may employ Mimikatz or Spectre methods to mine passwords, a typical whitelisting solution commonly employed for server protection would not detect anything amiss, given that valid system tools, registries and files were used. Cybercriminals can effectively introduce attacks, then delete files and remove traces of their activity as they continue going deeper. This ensures that any post-breach analysis doesn’t yield any information that gives away their presence or inhibits their efforts.

Fileless malware attacks are in fact overwhelmingly challenging to detect since they leverage legitimate code and tools that weaponize the application runtime state. We have termed these attack methods WRTs. In order to detect WRT attacks, detection mechanisms have to stay one step ahead of attacks and detect them in real-time as they happen. Most attempts at preventing fileless attacks work off an elaborate heuristic method which might involve monitoring network activity, system calls, registry modifications or processes. Because we are only guessing at the attacker’s intent, these approaches yield a very high level of false positives. To truly know if an attack has happened, you have to monitor code and understand the effect the attacker’s actions have on the application. Code is the only deterministic piece of information in a process that doesn’t change. If a security technique is able to monitor code in real time, any deviations in program execution can be caught immediately.

For example, let’s look at the Apache Struts Vulnerability, CVE-2017-5638 which caused the massive Equifax data breach. The remote code execution (RCE) vulnerability was exploited by passing malicious code in the Content-Type header. Once the malicious file was uploaded, attackers most likely used common system tools to mine usernames/passwords and moved laterally to high-value assets. Patching this security flaw was troublesome as it required rebuilding all apps. If there was a security solution that would have constantly monitored the Apache web-server and app-servers execution, the attack would have been caught immediately even without any application changes.

Virsec has fundamentally rethought security architecture. We believe that if attacks are to be stopped reliably at all times, you need to understand how the application executes input data. This method of monitoring application code has enabled Virsec to catch all types of fileless malware attacks without any false positives. Virsec achieves this by monitoring the microcode, compiled and interpreted code of your application continuously in real time and ensures that any deviation from expected behavior is signaled immediately as the attacks are in play. Customers can apply this approach to detect fileless attacks and protect workflows in real time. And utilizing Virsec’s extendable Protection Engine mechanism secures applications against all possible fileless threats.

Leverage these resources to learn more about Application Protection by Virsec.

Memory corruption attacks

A data buffer is an area of physical memory storage that temporarily stores data as it’s being moved from one place to another. Buffer overflow attacks, also called buffer overruns, occur when a program that writes data to a buffer overruns the buffer’s boundary and overwrites adjacent memory locations.

What is a heap overflow?

Another type of buffer overflow exploit is a heap overflow, also called a heap overrun. Heap overflows are different from overflows that exploit the stack. Heap is a region of process memory that stores dynamic variables. Heap overflows or heap overruns occur in the heap region where the application dynamically allocates memory at run time. Heap memory contains program data. The heap overflow exploit is carried out by corrupting this data in such a way that corrupts the application, making it overwrite internal structures.

Return-to-libc attack

Another computer security attack that typically starts with a buffer overflow is a return-to-libc attack. This attack is executed in such a way that the attacker doesn’t need to inject their own code – a fileless attack. A non-executable stack feature can prevent some types of buffer overflow exploits, but that features doesn’t stop a return-to-libc attack because in that attack, executable code is used. These attacks only call preexisting functions.

Remote code execution and Powershell execution

Remote code execution (RCE) is the ability to trigger code execution over a network, including WANs like the Internet. Attackers took full control of an application leveraging the Apache Struts vulnerability in its core code (CVE 2017-11778). User-provided input is insufficiently validated, resulting in a vulnerability that can be carried out by remote code execution.

Powershell is another avenue that is often abused by fileless malware attacks, also launched remotely, known as Powershell remote execution. Organizations can use tools to detect malicious PowerShell scripts. Powershell scripts are used to configure execution policies. PowerShell scripts can be run as executables using PSToExe (Powershell to exe).

Return oriented programming (ROP)

Return-oriented programming (ROP) is a computer security exploit technique where an attacker executes code even when security defenses are present, such as executable space protection and code signing. The attacker gains control and can hijack the program control flow, then take advantage of machine instructions already present in the machine’s memory, called gadgets. Chained together, in this memory corruption ROP attack, these ROP gadgets give an attacker the ability to take control and perform arbitrary operations on a machine.