cyber security image

Fileless Attacks: How do you protect your organisation from a threat you can’t see?

Fileless Attacks: The Threat You Can’t See

Fileless attacks are on the rise. A study by the Ponemon Institute found that 29% of the attacks faced by organisations during 2017 were fileless. This number has been increasing year on year and is expected to reach 35% in 2018.

The reason for this increase is simple. Hackers know they stand a greater chance of succeeding with a fileless attack because they are more difficult to detect. Traditional anti-malware and anti-virus tools search for malicious software by scanning a computer’s hard drive. This has led cybercriminals to pursue attacks that avoid the hard drive altogether.

How do fileless attacks work?

To avoid the hard drive, hackers hide malicious code in memory instead, using authorised native programs and tools within the operating system to attack by stealth.

This is how an attack against your organisation could occur:

  1. An employee receives a spam email with a link to a malicious website.
  2. The employee clicks on the link.
  3. The malicious website loads an authorised program, such as Flash, on the employee’s computer and exploits its known vulnerabilities.
  4. The program then opens Windows PowerShell, a native Windows tool, which is able to execute instructions through the command line while operating in memory.
  5. PowerShell downloads and runs a malicious script.
  6. The PowerShell script locates data on the employee’s computer and sends it to the attacker.

Using authorised applications already installed on the target’s computer is more discrete than placing a file on the user’s computer. The hacker can undertake the same types of attack as they otherwise could, such as ransomware attacks for example, but is far less likely to be noticed. This is why it is essential to swiftly patch and update your operating systems and software applications.

Although not truly a ‘fileless’ attack, the same attack could occur if an employee opens a Word or PDF document sent from a malicious source. With a Word document, for instance, the attack will use a Microsoft Office macro to launch PowerShell and run the hacker’s script. Programmes such as Adobe PDF Reader and Javascript all have known vulnerabilities which hackers seek to use to their advantage.

Fileless attacks will continue to rise until organisations become effective at identifying and defending themselves from this type of attack. Cybersecurity tools that learn and analyse patterns of behaviour are better placed to spot unusual activity on your networks, which could afford some protection against fileless attacks.

Cybersecurity Training

However, relying on cybersecurity tools alone is not enough. Training staff to recognise fraudulent and spam emails also needs to be a crucial element of your cybersecurity strategy. Spam emails are becoming less obvious to spot, often looking near identical to emails from a legitimate source. The few seconds it takes an employee to check the sender’s email address is accurate could be the difference between a successful and unsuccessful attack against your company.

As new modes of threat emerge, organisations must rethink the ways they protect themselves, and analyse the cybersecurity tools they use.

If you have concerns about your cybersecurity, give us a call on 0844 586 0040 or email:[email protected].

We’re here to help.


survival in the digital age

How are Word-based fileless attacks targeting aid organisations?

Imagine you have opened a Word file that was emailed to you by a prominent organisation in your field. On the surface, nothing else happens. You notice no changes and your antivirus system doesn’t detect anything suspicious. Would you (or your employees) expect to be spied on by hackers?

This March, McAfee identified a new fileless hacking operation which is targeting humanitarian aid organisations worldwide. ‘Operation Honeybee’ tricks its targets into opening compromised Word documents. When this is achieved, their malware takes hold in the computer and allows the hackers to spy on their target undetected. They are able to escape scrutiny because of their fileless strategy.

Fileless Attacks

There has been a surge in fileless attacks. A study by the Ponemon Institute predicts they will comprise 35% of all cyber attacks in 2018. As hard drive-focused antivirus scanners become more effective, hackers are resorting to strategies which do not leave files in your directory. Instead, they exploit known weaknesses in legitimate programs which are already on your computer. Once they have gained a foothold there, they can run commands which allows them to spy on you, mine cryptocurrency, ransom your files, and even take over your entire system.

 Honeybee and spear phishing pierce your defences

Another dangerous aspect of the Honeybee operation is its use of ‘spear phishing’; a more sophisticated form of phishing. Where ordinary phishing campaigns send out misleading emails in bulk, and cross their fingers, spear phishing tailors its message to appeal to a particular target in order to increase its chances of success.

In the case of Honeybee, the hackers designed their initial email to pass for a message from the International Red Cross. They then used the decoy document to ambush employees of the aid organisations they wanted to spy on.

The Red Cross is a perfect disguise for a spear phishing operation, as it is a well-known, trusted organisation. Combining this with the fileless nature of the attack, it is even more likely to escape detection. This joint strategy can be adapted to target any industry.

Joint strategy; twofold solution

If hackers are purposefully evading traditional antivirus strategies, how can you keep your system safe? There is a twofold solution.

First of all, there are innovative antivirus programs which do protect against fileless attacks. The latest cybersecurity tools use machine learning to pinpoint unusual activity on your system. This allows them to eliminate threats which would otherwise remain hidden.

Secondly, you can implement a training strategy which will increase awareness of the strategies used by hackers. When properly prepared, members of your organisation can neutralise a threat by taking as little as a minute to verify the source of emails they receive. It really can be that simple.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.


Flag of Europe

Building trust: What GDPR can do for your council

How would the introduction of GDPR have affected Basildon Council?

Prior to the introduction of GDPR (General Data Protection Regulation)  in 2017, Basildon Council was fined £150,000 for failing to store personal data securely. Because there was no adequate data protection policy in place, details of a family’s disabilities, including mental health issues, were published online. They remained publicly accessible for weeks. This incident had huge reputational and financial repercussions for the Council.

The £150,000 fine was imposed under the old Data Protection Act. With the enforcement of GDPR in May, the ICO are now able to impose higher fines, which go up to 4% of the organisation’s turnover, or €20,000,000, whichever is greater. What’s more, the scope of the new legislation is far broader, setting higher standards of transparency for any organisation that handles EU citizens’ data.

Councils are already failing internal audits and incurring fines on an annual basis. What will happen now GDPR is enforceable? Unless action is taken now, councils stand to fall short of the new rules and be subject to the new fines. The purpose of GDPR is to protect citizens’ rights, not to cause councils to incur avoidable costs. How can GDPR help councils prevent the kind of incident Basildon has seen, and foster trust among residents?

How can new legislation help?

There is a lot of apprehension among residents regarding their privacy. Who holds my data, and why? If personal data is stored, is it being held securely? GDPR is designed to provide answers to those questions.

If an organisation is GDPR compliant, it means that personal data is only being stored when strictly necessary and under the best possible safeguards. More than that, GDPR puts control over data back into citizens’ hands, creating a new era of transparency. This is how GDPR, instead of remaining a looming spectre, can become a tool for councils to build trust.

GDPR compliancy for councils

The task for councils is clear: they must be able to map out the exact course data takes through their systems. When a resident requests to see their personal data, the council must be able to recover it. If you imagine the amount of data currently in the hands of councils, much of it in archival storage, you will see that this is a huge undertaking.

There are other liabilities councils may not even be aware of, such as their Active Directory management. Too often, when council employees change roles, their accounts remain active. This means that they can be exploited by disgruntled ex-employees, and even become targets for hackers. By implementing a system which closes obsolete accounts, councils can ensure that access is granted only to the right people.

There are big cost-saving benefits to be achieved by creating a safe, streamlined and transparent data policy. As well as avoiding fines and passing internal audits, in the process of becoming GDPR compliant, councils can effect substantial savings by reducing their storage of obsolete data.

We have the experience and expertise to reform your data management. If you are a council looking for a GDPR compliancy solution, please contact us on 0844 586 0040 or [email protected].