The Rise of Fileless malware

Over the last two years, there has been an uptick in the amount the malware attacks that are fileless. This means that the malware is designed to not rely on or interacts with the filesystem of the host machine. This is so it is relatively undetectable by file scanning, which is the common way to find malware. This rising trend will change how we deal with these kind of malware threats. One of the changes to combat this threat is to turn to behavior based detection strategies like “script block logging,” which will keep track of code that is executed, for someone to sift through and look for abnormalities.

Experts are predicting that fileless malware attacks will continue to rise as it did from 2016 to 2017 because of its success rate. Fileless attacks are more likely to be successful than file-based attacks by an order of magnitude (literally 10 times more likely), according to the 2017 “State of Endpoint Security Risk” report from Ponemon. The ratio of fileless to file-based attacks grew in 2017 and is forecasted to continue to do grow this year. This goes to show that we need to constantly be adapting to different threats, because we know the hackers will.
– Ryne Krueger



Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio


City of Atlanta Victim of yet Another Cyber Attack

Early on March 22nd, several departments in Atlanta, Georgia were the target for a cyber attack. The attackers launched a ransomware attack, and demanded bitcoins as payment (over $50,000 USD).

Ransomware exampleRansomware attacks are relatively new and became popular in 2017 with the widely feared WannaCry attack. Ransomware typically encrypts some of your files and locks you out of your computer, then demands a ransom to be paid (usually with Bitcoin, an anonymous cryptocurrency).

This attack had a widespread impact as it affected multiple departments in Atlanta. Administrators took down several websites and services while the attack was investigated by the FBI, DHS, Microsoft, and Cisco. While ATL airport was not directly affected, administrators also disabled its Wi-Fi and advised passengers that flight schedules may not be accurate and to verify information with their airline.

As an additional measure, city employees were directed not to turn on any devices in the building until the malware had been contained. Five days later on March 27th the first machines were powered back on. Administrators expect some machines to be infected and that employees will continue to work using other methods if their machines are affected.

Ransomware attacks historically have just been a means of pressuring victims into paying the ransom. Attackers usually are not looking to steal information in the process. In fact, if an attacker did want to steal information, it wouldn’t make much sense to tell the victim that their machine is infected. However, in the case of the Atlanta cyber attack, both employees and the public were advised to monitor their credit cards and bank accounts for any suspicious activity.

The investigation has shown that it doesn’t appear any information has been compromised. While the details of the attack have not been released, Rendition Infosec reported that Atlanta government had been compromised by a previous cyber attack in April 2017. Microsoft had released critical patches over a month before the attack happened, but they were not installed. The attack lasted a little over a week, and statements from the city of Atlanta suggest that they were not aware the attack had happened in the first place. The identity of the attackers still remains unknown.

Jesse Roux

Fileless Malware

Malware is constantly evolving to match the level of sophistication that anti-malware programs use to prevent it. This is especially so in the type of malware called fileless malware. This malware is relatively new (first big cases seen in 2014) but becoming more common. Fileless malware tends to avoid the filesystem by operating almost entirely in memory, therefore we have also seen some attacks like this as early as in the 2000’s. It hit a milestone in 2017 of attacks by making up nearly 52% of all malware attacks that year.

This type of malware aims to avoid modifying the filesystem at all. It allows “cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users’ systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.”

So why does it matter if it avoids modifying the filesystem? That is because a big part of malware protection in anti-malware programs is scanning files to detect infected ones.

How can it be prevented? This is a process called behavioral detection. “Looking for signs associated with malicious PowerShell use (like a PowerShell session executed using an encoded command via the command line), provides security teams with the evidence they need to investigate incidents that could turn out to be instances of malicious PowerShell use.”


-Dylan Arrabito

Russian Government Cyber Attacks Targeting Critical US Infrastructure

In this modern, technology-run day-and-age, the use of cyber hacking by one nation against another is an increasingly frequent method of attack. The United States Computer Emergency Readiness Team in joint with the DHS and FBI recently released a report outlining specific types of attacks they have identified being used by the Russian government targeting the U.S. government as well as “organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors”. They have also confirmed that these attacks have been ongoing since at least March of 2016.

One type of attack uses spear phishing emails containing Microsoft Word files loaded with a malicious script. These script first installs some credential-harvesting tools like Hydra and CrackMapExec. Then, it attempts to retrieve a file on a server via SMB request. By doing so—whether or not the file exists—an authentication request is typically prompted to the user before continuing. At this point, the script will capture the hash of the user’s credentials, and make an attempt to extract the full username and password using the aforementioned tools installed on the machine.

Another type of attack again used phishing to obtain credentials via a link in a falsified .pdf contract agreement. Users were directed to follow a link in the document to enter their email address and password in order to agree to the service contract. Once the credentials were in hand, attackers used them to attempt to gain access to the internal systems of these important infrastructure institutions. A back-door was installed to allow persistent access, and attackers could then modify firewall settings and Windows registry keys.

The release of this information is significant in two ways. First, it is just another example as to the extreme importance of vigilant cyber security awareness and practice. Both of these attacks rely on the ignorance and thoughtlessness on the side of the end-user to gain access into the system. Whether it’s opening unsolicited Microsoft Word documents or agreeing to unfamiliar (and unofficial) contracts, both scenarios rely on users divulging their credentials without suspicion as to whether the requesting source is legitimate.

Second, it is another example of the changing landscape of cyber security and cyber hacking as it continues to be used more frequently by governments as a weapon against other nations. Now more than ever is cyber security conversation and awareness important for all people as we enter an age of online warfare.

— Brendon Stowe
Student, R•I•T
Web & Mobile Computing

Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors