Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.
Cybercriminals take the path of least resistance — which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.
Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They don’t need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.
Yet businesses still aren’t paying attention.
“Our focus in this industry is still on traditional attack vectors we’ve been dealing with for most of our careers,” says Heath Renfrow, CISO at Leo Cyber Security.
It’s time for businesses to take a closer look at how these threats work, how they can be detected, why they’re predicted to grow, and the steps they can take to protect themselves.
The Evolution of Modern Fileless Attacks
Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.
“What’s different about today is not the fact of fileless — both Code Red and Slammer used this — it’s the fact that the bulk of the attack chain, the steps of the attack, are all fileless,” she says. “If they do involve a payload it often looks legitimate and therefore, it’s very hard to detect.”
The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.
“Within a network, what’s breaking the backs of organizations is the theft of usernames and passwords,” he explains. “It’s not the malware that’s doing the trick.”
Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it’s oftentimes more valuable to access someone’s Office 365 or Amazon Web Services login, Johnston says.
All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and they’re not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.
Why You’re Vulnerable
Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they can’t monitor their full ecosystem. Many are “drowning in data” and are unable to bring account and user activity into a single place for analysis.
“If they can’t track it, they can’t understand which accounts have access to what,” Johnston explains. “They have no way to visualize, and no way to track and scale, all of these different identities that don’t always line up to a human.”
The challenge escalates when employees don’t adopt basic security practices. Lovejoy points out that phishing attacks are a popular means of delivering attacks and obtaining credentials.
Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.
“What hackers are doing is trying to get into personal accounts, and using that to get into corporate,” Buduri explains. Many threat actors target low-level employees with the idea that once they’re in, they can monitor email activity to learn the addresses of high-ranking workers.
Poised to Grow
Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking “significantly increases the risk to the infrastructure,” he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.
Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. “Think about a cloud environment,” he says. “How much insight does a CISO have into who’s logging in and where?” Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned — legitimate creds within attackers’ reach.
While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. “The sad reality is we’re seeing an increase in the number of destructive attacks that are being leveraged,” she points out.
What Can You Do About It?
Protecting against phishing starts with employee education. “Trick them, test them, teach them,” says Lovejoy. “The goal is to immunize enough people so the disease can’t take hold.” Employees should also have a means to report activity they feel is suspicious.
“Always enact the policy ‘If you see something, say something,'” she adds.
On top of this, businesses should take a close look at activity in their ecosystems.
“One thing we did in Army Med was bring in a toolset to map out all of the credentials across our infrastructure,” says Renfrow. “It was eye-opening … we had more credentials running through our infrastructure than we had people.”
After evaluating this, the team dug into the who, what, where, and how of what these credentials were doing. Anything outside the normal login location would trigger an alert. Given the massive size of Army Medicine’s infrastructure, he says automation was necessary for this.
He advises organizations to go back to the “old-school” method of looking at their traditional identity and access management. From there, if they’re mature enough, they can consider toolsets designed to automate access management to learn the who, how, where, and what of network logins.
“I think it would be eye-opening for any organization,” Renfrow says.
The fingerprint-analysis software used by the FBI and more than 18,000 other US law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems.
The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm — then a subsidiary of the massive Paris-based conglomerate Safran — deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said.
In recent years, Russian hackers have gained access to everything from the Democratic National Committee’s email servers to the systems of nuclear power companies to the unclassified computers of the Joint Chiefs of Staff, according to US authorities.
This September, the Department of Homeland Security ordered all federal agencies to stop using products made by the Moscow-based company Kaspersky Lab, including its popular antivirus software, and media outlets reportedthat Russian hackers had exploited it to steal sensitive information on US intelligence programs. The department later clarified that the order didn’t apply to “Kaspersky code embedded in the products of other companies.” The company’s founder, Eugene V. Kaspersky, has denied any involvement in or knowledge of the hack.
The Russian company whose code ended up in the FBI’s fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service — the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of US targets.
Cybersecurity experts said the danger of using the Russian-made code couldn’t be assessed without examining the code itself. But “the fact that there were connections to the FSB would make me nervous to use this software,” said Tim Evans, who worked as director of operational policy for the National Security Agency’s elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin.
The FBI’s overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau’s use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.
In hopes of winning the FBI contract, the Safran subsidiary Sagem Sécurité, later renamedMorpho, licensed the Papillon technology to boost the performance of its own fingerprint-recognition software, the whistleblowers said. Both of them worked for Morpho: Philippe Desbois was the former CEO of the company’s operations in Russia, and Georges Hala worked for Morpho’s business development team in Russia.
BuzzFeed News reviewed an unsigned copy of the licensing agreement between the French and Russian companies, which both men said they had obtained while working for Morpho; it is dated July 2, 2008 — a year before the company beat out some of the world’s largest biometric firms, including an American competitor, to secure the FBI business. It grants Sagem Sécurité the right to incorporate the Papillon code into the French company’s software and to sell the finished product as its own technology. It also stipulates that Papillon would provide updates and improvements during the five-year period that ended on the last day of 2013. In return, Sagem Sécurité agreed to pay an initial fee of roughly 3.8 million euros — equivalent to almost $6 million at the time — plus annual fees.
The contract, which is also referenced in court documents, says that to Papillon’s knowledge its software does not contain any “undisclosed ‘back door,’ ‘time bomb,’ ‘drop dead,’ or other software routine designed to disable the software automatically with the passage of time or under the positive control of any person” or any “virus, ‘Trojan horse,’ ‘worm,’ or other software routines or hardware components designed to permit unauthorized access, to disable, erase, or otherwise harm the software, hardware, or data.”
The contract reviewed by BuzzFeed News also contains a section titled “Publicity” that says, “The parties agree to keep strictly confidential and not to disclose by any means to any third party the existence and the contents of this Agreement.”
Desbois — who has filed a whistleblower lawsuit in US federal court accusing Safran of fraudulently collecting about $1 billion from federal, state, and local agencies — said at least three high-level company officials stressed to him on multiple occasions that the existence of the agreement needed to remain a closely held secret. Disclosure, he said he was told, might jeopardize contracts in the US market, which the company coveted.
“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm,’” he recalled
Neither Desbois nor Hala was personally involved in the integration of Papillon code into the French company’s products or the sale of the software to the FBI, but both said they had conversations with engineers who did work on the integration. Desbois said multiple company officials told him that the technology sold to the FBI contained the Papillon algorithm.
“You know the word omertà?” Desbois said, referencing the Mafia code of silence made famous by the movie The Godfather. “It was always the intonation like we have done something bad that is a secret between us and that we should not repeat it to anybody.”
In promotional material and on its website, Papillon boasts of its work with Russia’s Ministry of Internal Affairs, which oversees police and immigration agencies, among others, and is run by a longtime police official who was appointed to the post in 2012 by President Vladimir Putin. The products that Papillon sells “are created with the instructional assistance” of the ministry, and the company is “closely cooperating with the Ministry of the Interior, Ministry of Defense and Ministry of Justice of Russia,” according to company publications. A Russian government website says that the Internal Affairs Ministry “renders methodic assistance” to Papillon.
“Papillon is not an independent company,” said Hala, one of the whistleblowers. “Papillon was an emanation of the Internal Affairs Ministry, so Papillon was always under the control of the ministry.”
Papillon’s deputy director for marketing, Ivan Shapshal, disputed that. “We are fully a private company,” he said. “Do we do special tasks for the intelligence agencies of Russia? No, there is no reason for us to do this. It is just a risk. It does not help us make money.”
Among the Russian agencies that use the company’s fingerprint-recognition technology is the FSB. “Year by year,” one Papillon publication says, “the company expands its cooperation with” the FSB, as well as Russian agencies in charge of immigration, customs, and drug control. Other clients include the governments of Turkey, Kazakhstan, Serbia, and Albania.
Shapshal said his company’s fingerprint-recognition technology helps Russian police solve roughly 100,000 cases per year. “If our software can help police solve more crimes, we are happy to be ‘very close’ to them, as you say,” he said. “We will be happy to be close to any security agency in the world for money.”
Papillon’s founder and director is Pavel Zaitsev, who worked as an engineer and programmer at Russian military installations from 1985 to 1991, according to a biography published with an article he wrote for a trade publication. Many of the company’s staffers, a Russian government website says, “gained experience working at the plants of Military-Industrial Establishment in Miass” — the city in the Ural Mountains where the company later established its headquarters.
Hala said there was “deep collaboration” between Papillon and the FSB. “It’s not a secret,” he said. Hala said he attended multiple meetings involving Russian government officials and Papillon executives in which FSB officials expressed strong support for Papillon and “controlled absolutely the discussion.”
The Internal Affairs Ministry, the FSB, and the Russian Embassy in Washington, DC, did not respond to requests for comment.
Neither the FBI nor any of the companies involved denied directly that the fingerprint software used by the bureau contains Russian code.
The FBI declined to answer repeated questions about the software but said in a statement, “As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment.”
Safran declined to respond to questions about its actions as owner of the subsidiary that provided the software to the FBI, noting that it has since sold that subsidiary. But in legal filings, Safran has not denied the existence of the contract to license the Russian code, instead arguing that the allegations of fraudulent sales were not specific enough and that the company was not legally responsible for the actions of its subsidiary.Safran sold the subsidiary this year to a US private-equity firm, which renamed the company Idemia. An Idemia spokesperson said the fingerprint-recognition technology was “almost entirely developed and manufactured in France or in the United States” but that two software components contained source code developed “by other companies.”
The spokesperson, Céline Stierlé, refused to name those companies.
More broadly, she said the whistleblowers’ claims “are old allegations that are not supported by facts and that have been rejected by federal and state authorities and by the courts,” referring to the lawsuit filed by Desbois, one of the former employees who spoke with BuzzFeed News.
This year, a federal judge dismissed the case but did not evaluate the merits of most of the allegations. Instead, the judge focused on technical issues, finding that the suit hadn’t alleged enough specifics about, for example, when and how fraudulent claims for payment may have been submitted to the government. Also, the judge wrote, any false claims would have been submitted by a subsidiary that was not named as a defendant in the case — and the parent companies that were named couldn’t necessarily be held legally responsible. The case is on appeal.
As for the Russian company, Papillon, executive Shapshal responded to a question about the contract giving the French company rights to its code by saying, “We don’t comment on such things because we cannot confirm or deny.”
But he insisted that the company’s code did not include any vulnerabilities, saying that if anyone were to check “then you will see there is no back door.”
“Weigh carefully the risks”
As the FBI evaluated the companies vying to provide the fingerprint-recognition software in 2009, the possibility that the contract might go to a company subject to influence by a foreign government, even an ally, unsettled some members of Congress. The part-ownership of Safran by the French government prompted a letter to then-FBI director Robert Mueller from former Rep. John Kline of Minnesota, a Republican member of the House Intelligence Committee.
“Allowing a foreign government to provide services regarding sensitive information to our law enforcement and intelligence communities could potentially pose a grave counterintelligence threat to the US government,” Kline wrote. “I urge the FBI to assess whether any domestic companies are capable of this work and weigh carefully the risks versus the benefits of granting a foreign government access to this sensitive data.”
An FBI spokesman at the time said that the bureau “assesses all risks and vulnerabilities associated with any foreign influence or security concerns for vendors under consideration for contracts, including subcontracts, with the FBI.”
Later that year, the FBI and Lockheed Martin — the primary contractor in charge of incorporating various vendors’ products into the bureau’s system — announced the selection of a Morpho subsidiary, MorphoTrak. Among the competitors not chosen was the US company Cogent Systems.
A Lockheed Martin spokesman refused to discuss the contracting process and said the company had divested its unit responsible for the FBI program. A representative for Leidos, which is now the project’s primary contractor, declined to comment.
Desbois’s whistleblower lawsuit alleges that a US-based MorphoTrak engineer named Frank Barret was aware of the Papillon deal and led a team that helped prepare the software for use by the FBI. On the front step of his home in California, Barret refused to read and respond to the allegations in the complaint but said, “Everything I’ve said to the investigators, everything I’ve said in this trial, is true.” Asked to clarify, he closed his front door. When BuzzFeed News followed up the next day, Barret threatened to call the police.
Both Desbois and Hala said they discovered the existence of the agreement licensing the Russian company’s code after they questioned their bosses’ instructions not to compete with Papillon for certain contracts. It was then, they said, that company officials explained that the two companies had an unwritten agreement not to encroach on each other’s business in certain countries — an arrangement that violates antitrust laws, the whistleblower claim alleges. Desbois and Hala said that they obtained a copy of the licensing agreement because they wanted to see for themselves whether it spelled out the terms of the noncompete pact; it did not.
Papillon executive Shapshal declined to comment on the antitrust allegations. Idemia spokesperson Stierlé said that “this allegation, like the others, was part of the litigation” and that “it too was found to be deficient and lacking in even the most basic level of detail and was rejected by the court.” The judge found that the whistleblower suit did not provide specifics on who falsely certified to the US government that the company hadn’t violated antitrust laws, or when and how this had occurred.
Desbois’s whistleblower lawsuit accuses Safran of defrauding the US government out of about $1 billion, and if the suit is successful he stands to collect millions. Hala is not involved in the case. Both Desbois and Hala said they left Morpho voluntarily and on good terms.
The FBI contract is now a centerpiece in much of MorphoTrak’s marketing material. In 2011, the FBI said the new fingerprint-recognition software significantly increased both the speed and accuracy of matches, boosting the latter from 92% to more than 99.6%.
“In terms of prestige, to be able to say ‘My technology is used by the FBI,’ it really helps with sales,” said former employee Stephane Guichard, who led a US-based team that implemented and maintained the fingerprint-matching software for state and local agencies that had purchased it but was not involved in the software’s development or the FBI contract.
Guichard and two other former MorphoTrak employees who worked on government contracts in the US said they didn’t know about the licensing agreement with Papillon, and they expressed surprise that their former employer would use Russian technology. “Personally, it would have concerned me a little bit,” said Phillip Moore, who worked as an account manager and sales manager. It would have raised “basic trust issues with what they would supply us,” he said.
By the end of 2013, as the final stage of the FBI project phase-in became operational, Morpho reported that the US market accounted for more than a third of its roughly $2 billion in revenues.
Safran recently announced that it planned to refocus solely on aerospace and defense, and, earlier this year, it sold Morpho, which had recently been renamed Safran Identity & Security, to the US private-equity firm Advent International, with the French government investment bank Bpifrance also taking a stake. The reported price was about $2.5 billion.
The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department. Through its subsidiaries, Idemia is a powerful lobbying force in Washington, and it is currently fighting to kill legislation that would endanger its status as the sole provider of fingerprint services for the TSA PreCheck program. ●
Chris Hamby is an investigative reporter for BuzzFeed News and is based in Washington, D.C. He won the 2014 Pulitzer Prize for Investigative Reporting and was a finalist for the 2017 Pulitzer Prize for International Reporting.
Contact Chris Hamby at firstname.lastname@example.org.
Got a confidential tip? Submit it here.
“Why corporate breaches continue to succeed” – Corporate breaches continue to succeed because attackers can steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware-based attacks to the evolved identity based attacks. Learn how next generation machine learning and analytics can detect and stop these attacks.
Rob Johnston on MSNBC
Timothy Evans, J.D., LL.M., Co-Founder and Chief of Strategy
Corporate breaches continue to succeed because attackers can steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware based attacks to the evolved identity based attacks. Learn how next generation machine learning and analytics hunting on your network 24/7 can detect intruders and malicious insiders without you hiring a single person.
Identity Based Attacks – Insights on the DNC Hack
Why do corporate breaches continue to succeed? Corporate breaches continue to succeed because attackers are able to steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware based attacks to the evolved identity based attacks. Learn how analytics, deception, and data streams are saving the security industry, or would have at least saved the Democratic National Committee.
According to a recent survey by Norton, 94 percent of users on the internet think they can spot phishing emails. Unfortunately, they couldn’t be more wrong.
The fact is that hackers are becoming savvier when it comes to finding personal information and tricking not only you, but your friends into providing more.
Jere L. Simpson, CEO and founder of Arlington-based KITEWIRE said these days hackers are using social engineering to nab your personal information and use it for mining information, gaining account access and blackmail.
“Social engineering is the easiest method to breach accounts. Your best friend, date of birth and mother’s maiden name are extremely easy to find on Facebook. Criminals will duplicate one of your friend’s accounts using the same photo and private message you that they created two accounts for business and friends in order to gain access to your information.” Jere said.
Once cyber criminals gather enough information about a person/owner of a company, then they go to work in figuring out details to breach the network.
Colonel Timothy Evans (Ret), cofounder and vice president of strategy of Arlington-based Adlumin said, “Health care data is the most valuable because it provides enough information for an intruder to apply for credit, loans, etc. without the individual even knowing that someone else has applied for credit in their name.
“Once the intruder steals legitimate credentials, they can move freely throughout the network without setting off any alerts. Their next task is to escalate their privileges to administrator so they can move about the network freely.”
Then you’re really screwed.
For a small startup or business owner, dishing out tons of cash for a high performing network server and IT consultant isn’t a reality when you’re bootstrapping. However, our cyber experts have some advice and inexpensive ways to protect your data from potential threats.
Let’s Start With the Facebook Feed
Taking photos at work to show off the team, work environment or the latest coffee machine is great, but you need to consider what is in the background of your photos, and if are you unintentionally posting personal or confidential information.
“Be extremely careful what information is put on social media. Look for information that is in the background of photos like screen or paper information. Latergram as many photos as you can instead of posting them in the moment,” Jere said.
Don’t Open The Flood Gates
Reducing the number of people who have administrative access to files, a network, etc. can decrease chances for a breach.
“Probably the key for a small company is to limit the user’s authority on its network to conducting activities that a general user should do. In other words, do not make everyone on the network an administrator, they do not need that authority,” Timothy said.
It’s also a good idea to have monitor logs to understand who is accessing certain files and online tools.
“Ensure that your users are doing what their logs say they are doing. If the system says that you used a USB drive to download gigabytes of information, the follow-up question is, did you do that. There are free tools that you can use to check your own logs to ensure that the actions that are being taken on your network. At a minimum, a small company should audit the company’s privileged access users to ensure that their activities are in line with their duties and actual activities,” Timothy said.
Newbie Doesn’t Get the Keys to the Kingdom
While founders want to trust that every tech employee is honest, Jere said it’s not a bad idea to gradually ease them into full access of the network. Most importantly, change your network password often enough to avoid any potential problems.
“Don’t give every new tech SaaS access to your calendar, email, contacts, drive, location etc. Also, use a formula for your passwords so that each password is unique and you can always figure it out…and never write it down.” Jere said.
Yes, You Must Change the Passwords
Changing your passwords is the oldest, yet most important, advice any cyber expert can offer you, because it works, so do it. Also, our experts want you and your employees to stop sending your username and password over the network, email or communication tools like Slack.
“If you need to give someone a username and password, don’t send both over the same communication,” Jere said. “Calling on the phone or video chat is often the most secure method.”
Did I mention changing the password? Timothy recommends conducting privileged account password resets every 30 days. Seriously.
Employees Can Be Your Superheroes
Your employees can be the first line of defense when it comes to thwarting cyber attacks. Take time to educate them on what to look for if faced with a potential threat.
“Be very unified as a small company that no employee will click on an email link or document received without being sure that the document or link is from a known vendor, partner, or trusted party. This takes a lot of discipline, however, it is the absolute best method to prevent an attack,” Timothy said.
“Talk with your employees and let them know that simple carelessness could result in putting a company out of business. Breaches of customer data or credit card information will result in damage to the company’s name at a very minimum.”