“Malware-free” attacks mount in big breaches, CrowdStrike finds

No file-based malware—or balaclava—was required for most of the attacks CrowdStrike investigated in the past year.

Despite the rise of massive crypto-ransomware attacks, an even more troubling trend emerged in data gathered by the security firm CrowdStrike this past year and published in the company’s 2017 “Intrusion Services Casebook.” The majority of attacks the company responded to did not leverage file-based malware but instead exploited a combination of the native software of victims’ systems, memory-only malware, and stolen credentials to gain access and persist on the targeted networks. And the average attack persisted for 86 days before being detected.

“We found that 66 percent of the attacks we had investigated were file-less or malware free,” said Bryan York, director of services at CrowdStrike, in an interview with Ars. “These attacks had either leveraged some sort of compromised credentials or some sort of malware that runs in memory only.”

Some of these attacks used malware that was implanted in the memory of a targeted system by exploiting a software vulnerability on a system reachable from the Internet as a beachhead, or they used poorly configured Web systems to gain access—and then in some cases leveraged Windows features such as PowerShell or Windows Management Instrumentation (WMI) to establish persistent backdoors and spread laterally throughout targeted networks without leaving a malware footprint detectable by traditional antivirus screening. “Obviously, memory-only malware is pretty challenging to protect against,” York said.