The Game Has Changed:
Fileless Malware and Hackers Living Off the Land
On May 24, 2023, CISA released a Cybersecurity Advisory entitled, "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection." The threat actors are exploiting vulnerabilities in out of date or even obsolete small office routers as the means to obtain network access. Once network access is gained through the compromised router, the attackers can "obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim." A command and control server is then used "used to send commands to systems compromised by malware and receive stolen data from a target network," according to TrendMicro.
CISA recommends that owners of these vulnerable routers not allow those obsolete devices be Internet connected. If these risky devices must be Internet connected, then CISA strongly suggests that "device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible." My twenty plus years of field experience leads me to believe with a great deal of certainty that most of said "device owners and operators" have no idea of Zero Trust, and may have well never even changed the default password on that venerable, yet vulnerable, old router. As Palo Alto Networks Unit 42 stated it in their May 26, 2023 report on the matter:
In addition to requiring manual software updates, SOHO devices are also rarely configured according to best practices by users and they have network management interfaces exposed directly online. Because of these things, many attackers of all motivations – including botnets – also recognize and use SOHO devices for malicious activity.
In its May 24, 2023, Microsoft named the Chinese threat actors, "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques." Microsoft stated:
Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
CISA has concurred with Microsoft about the intention of these sophisticated Chinese based threat actors. In its "China Cyber Threat Overview and Advisories." In the preface of this document, the case against China's cyber activities is clearly stated:
The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment makes clear the cyber threat posed by the People’s Republic of China (PRC): “China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks. China’s cyber pursuits and its industry’s export of related technologies increase the threats of aggressive cyber operations against the U.S. homeland. . . China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems."
This report also proceeds to discuss the Living Off the Land techniques of these threat actors.
Fileless malware attacks succeed not by infecting the compromised system with rogue files, but rather by exploiting vulnerabilities in system software and then using the system software's own built-in controls to launch attacks. As CrowdStrike explained it:
Exploits are an efficient way to launch a fileless malware attack because they can be injected directly into memory without requiring anything to be written to disk. Adversaries can use them to automate initial compromises at scale.
One common way the Windows Operating System is vulnerable to fileless attacks is through Registry modification techniques. Dropper files, whose purpose is to facilitate "the delivery and installation of malware," will write malicious code directly into the Windows Registry. These are very successful methods to compromise a system because, as CrowdStrike noted:
The malicious code can be programmed to launch every time the OS is launched, and there is no malicious file that could be discovered – the malicious code is hidden in native files not subject to AV detection.
The use of exploit kits make Living Off the Land techniques successful, again, without the injection of any files. As TrendMicro defined these hacking tools, "An exploit kit or exploit pack is a type of toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities." CrowdStrike has observed that: "Exploits are an efficient way to launch a fileless malware attack, such as a LOTL attack, because they can be injected directly into memory without requiring anything to be written to disk."
In its 2023 Global Threat Report, CrowdStrike found that "malware-free activity accounting for 71% of all detections in 2022." The similar conditions as those discussed in this blog for some time now facilitated these fileless attacks. One common entre to attack is the "prolific abuse of valid credentials to facilitate access and persistence in victim environments." The other "contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits."
This article was not intended to be an in-depth technical treatise on fileless malware and hackers' Living Off the Land techniques. Rather its purpose is as an introduction to a new growing threat that all Internet Users and Computer Consumers face. This new threat creates a greater challenge to take charge of one's own security more than ever before. Also, the purpose is to once again make clear that Consumers must take control of their own cyber security. Replace old obsolete devices that allow for threat actors to live off of your land, so to speak. There is no excuse for not taking the time and caring to install all updates, including the software embedded into computer hardware. And, I repeat, if a Consumer is unsure how to perform these necessary computer maintenance functions, then please seek competent professional help to do so.
Your Nation is Depending On You.
¯\_(ツ)_/¯
Gerald Reiff