In part two of our series on the most overlooked security risks in eCommerce, we take a look at another batch of would-be attacks that may be keeping a low profile while posing a real threat to your web application.
Fileless malware is a term for malicious action that utilizes the authentic tools included in a system to carry out an online attack. In contrast to conventional malware, fileless malware does not necessitate the action of injecting code into a target’s system, which makes it particularly hard to spot. This specific method of using native, legitimate tools to execute an online attack has been coined “living off the land.” Bad actors will often deploy their malware upon their target opening a malicious Excel or Word document, or through the browser on an infected page.
While bad actors do not need to inject code to deploy a fileless malware attack, they still must gain a means of entry into the environment so they can alter the native tools to fit their needs. Bad actors gain access to systems and carry out attacks in a few different ways that we cover below.
1. Registry Resident Malware
Registry resident malware is malware that injects itself in the Windows registry with the sole purpose of remaining active while avoiding detection. Usually, Windows systems become infected through the usage of a dropper program that downloads an infected file. The infected file remains persistent on the target system, which makes it susceptible to detection by antivirus software.
While fileless malware is also capable of utilizing a dropper program, it does not download an infected file. Rather, the dropper program injects malicious code directly into the Windows registry. The infected code can be programmed to deploy every time the operating system is launched, and because the infected code is concealed in native files not prone to antivirus detection, there is no infected file that can be found. Malware that alters registry keys will most likely remain undetected for extended periods of time.
2. Exploit Kits
Exploits are bits of code, sets of data, or sequences of commands, while exploit kits (EKs) are sets of exploits. Bad actors utilize these tools to exploit well-known vulnerabilities in applications or operating systems. Exploits are a particularly effective manner to deploy a fileless malware attack because they can be inserted directly into memory without needing anything to be written to disk. Bad actors use exploits to automate initial attacks at scale.
An exploit generally starts in a uniform manner, whether or not fileless or traditional malware is used. Usually, a victim is targeted using social engineering or a phishing email. An exploit kit commonly contains exploits for several vulnerabilities and a control console that the bad actor uses to control the system. The exploit kit may also carry the capacity to scan the target system for weaknesses and then create and deploy a tailored exploit instantly. The RIG Exploit Kit (EK), an older EK that was first spotted back in 2014, recently re-emerged with a fresh ability to exploit Microsoft Internet Explorer.
3. Fileless Ransomware
Don’t underestimate bad actors; they will use whatever technological resources are available to them to get the job done. Bad actors conducting a ransomware attack will use fileless methods to embed infected code into documents via native scripting languages, like macros, or to write the malicious code straight into memory with the help of an exploit. Then, the ransomware seizes control of native tools to encrypt hostage files without ever writing a single line to disk.
4. Memory-Only Malware
As the term suggests, memory-only malware is solely found in memory. For example, the Duqu worm is notoriously difficult to detect because it exclusively resides in memory. Duqu 2.0 has two variants; the first version is a backdoor that grants access to a bad actor. The attacker can then utilize the advanced version of Duqu 2.0, which boasts additional attributes, such as lateral movement, reconnaissance, and data exfiltration. Bad actors have utilized Duqu 2.0 to successfully gain access to major companies, a key security software provider amongst them.
5. Stolen Credentials
Bad actors may use stolen credentials to carry out a fileless attack, so they can appear to be a legitimate user. Once they gain entry, the bad actor will exploit native tools like PowerShell to deploy their attack. The attacker can commence persistence by camouflaging the malicious code in the registry or the kernel, or by making new user accounts that allow them access to the system of their choosing.
The best way to combat fileless malware is via threat detection, such as “Indicators of Attack.” These automated detectors search for indications that an attack is currently in progress. These indicators may include lateral movements, code execution, and general suspicious activity. “Managed threat hunting services” is the manual version of threat detection, where skilled experts scour your system in search of malicious activity.
Open-Source App Development
In the land before time, developers built apps from the ground up. Now, the people crafting applications are often third-party agencies with limited security knowledge, who may bypass security checkpoints utilized in the past. Developers create and test apps in development environments that may not be secure, with tools that might actually be malicious in nature. In this way, bad actors can set their sights on apps still in production, and even non-critical apps can be stepping stones to more sensitive data.
Merchants may end up using technologies built by bad actors without a second thought, because the manner in which software components are purchased and used has changed. Today, developers build applications with the help of third-party components, such as frameworks and widgets. Open-source tools are favored, but a few such tools were built by bad actors with the aim of searching for backdoors. That’s why it’s vital that developers work together with security teams to ensure that your application is built with safety in mind.
Evil Maid Attacks
Yes, this is an attack that could take place in your hotel room, albeit not by the hand of a sinister cleaning crew member. Many corporate employees, and business owners themselves, tote their unencrypted devices to their home offices, coffee shops, airports, and hotels, all while blissfully unaware of the elevated risk of attack. Unless your device boasts a full hard drive encryption, it is completely vulnerable to attack, if left unattended even for a minute. That’s how “evil maid attacks” work: bad actors will target devices that are left unattended with the aim of either stealing data or injecting malware. Unless you spot the bad guy (or gal) in action, you will never know the difference, because your device was not physically stolen.
Business travel can open the door to other security risks as well. A business owner or a high level employee could log in to their email account from a local computer at a hotel or a conference center. This computer could very well be passively monitoring your actions, and recording your every click.
Be vigilant with your personal devices - always lock your computer when you step away, if even for a minute. Avoid using devices that don’t belong to you to log in to private portals, be it email or heaven forbid, your admin panel.
Mobilization of Data
As smart phones are gearing up to take over our world, Skynet-style, more and more employees use their mobile devices to complete work tasks. Unfortunately, the data stored on mobile devices is not secured - and this is a problem for businesses. In order to work from tablets and smartphones, people are accessing sensitive work data from devices that are not built for data storage in the same way that laptops are.
Configuration management must be carried out to make sure that the data is being stored in the correct place - not in individual iCloud accounts. It’s not only sensitive corporate data that is in danger; many customers are also inclined to hand over personal data. They may provide their personal details, such as email addresses, usernames, social media logins in order to receive discounts or freebies. In case of a data breach, their information will become public information.
Some of the security risks mentioned today may seem unlikely, and it may never happen to your business. Still, just because you haven’t read of an evil maid attack in the news lately, does not mean you could not be the unlucky victim of such a sneaky attack. After all, we’ve become very dependent on our devices - we’re permanently logged in to our Facebook and Instagram accounts (business pages included), and our login details are saved in our browsers. Ensure there’s no funny business going on behind the scenes on your web application with the help of a Penetration Test - think of it like putting your system to a real-life hacking test. Take a peek at our specialized Penetration Test here.