AppGuard Customers Protected Against Process Doppelgänging - Fileless Attack

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,007
#1

AppGuard Customers Protected Against Process Doppelgänging - Fileless Attack
Eirik Iverson
December 8, 2017
Cybersecurity, Malicious Code Attacks


This week, researchers presented at Black Hat Europe in London information regarding an extremely dangerous new “fileless” attack vector that affects all Windows operating systems. The researchers observed that the attack bypasses many widely used endpoint security tools. AppGuard customers need NOT make any policy adjustments to mitigate risks from such attacks. AppGuard already blocks them.

Details of the new code injection attack can found in the researchers’ Black Hat presentation available online. In short, exploitation of the discovered Windows design flaw involving commonly available Windows system calls (API), enables attackers to inject code into Windows system files or other trusted applications, transforming them into weaponized instruments working for the attackers. Worse, because of the way Windows operates, antivirus, Endpoint Detection and Response (EDR), and other tools are unable to detect and stop these code injections. Sophisticated attackers can further take advantage of this blind spot by leaving little to no indicators of compromise behind, making compromise discovery even more difficult. These new code injection attacks can succeed without leaving a trace.

In-memory tactics became increasingly prevalent in the wild after application whitelisting cyber controls became widely adopted by the enterprise. This is because whitelisting only prevents unknown executables from launching. Such tools do NOT contain what trusted applications do after they launch. In the Doppleganging code injection attack, the malicious code is inserted into the application during the program load stage.

Based on the revealed tests using the new code injection attack, none of the well-known antivirus products, including much hyped Machine Learning/Artificial Intelligence antivirus products, were able to detect and stop the attack. The products are listed in the Black Hat presentation.

When the Doppleganging code injection attack is used in the wild, it will typically be launched in the form of phishing, drive by download, or via weaponized document. AppGuard will defeat such attacks in the earliest Doppleganging stages, preventing the adversaries from transforming other processes on the endpoint into unbounded malicious instruments.

The Doppleganging attack potential helps illustrate the downside to reliance on a ‘detect and react’ posture. It requires the enterprise to employ an army of highly skilled analysts to sift through mountains of alerts from many different sources. Check out our recent blog post on cyber alerts fatigue. Despite the army of analysts, the array of tools and services, and the workflow overhead, the time to detect data breaches is usually measured in months. Ponemon reported a median of just over 6 months. How long can the enterprise sustain these costs and labor challenges that grow year after year? The enterprise cannot afford to accept endpoint compromises as an unavoidable new normal. It needs to keep fighting the good fight, preventing compromises at the endpoint. Much of the enterprise cyber program costs depends on what happens at the endpoint.

Tagged: Process Doppelgänging, fileless attack, Windows Operating Systems, Cybersecurity

4 Likes
Share



Older PostKeep Calm And… Here Is A List Of Alarming Cybersecurity Statistics

Contact Us
Support

VA Office

14120 Parke Long Court
Suite 103
Chantilly, VA 20151
USA

NY Office

333 Seventh Avenue
10th Floor
New York, NY 10001
USA


Tokyo Office
(Blue Planet-works, Inc.)

Daiwa Jingumae Bldg., 3Fl2-4-11 Jingumae
Shibuya-Ku Tokyo,
150 - 0002
Japan


A Blue Planet-works Company

Terms of Use | Privacy Policy | All Right Reserved, © 2017. AppGuard, LLC. Blue Planet-Works Company
 
Last edited:

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,763
OS
Windows 10
Antivirus
Default-Deny
#2
I think we can't miss it is appguard thread :p
 

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,007
#3
I think we can't miss it is appguard thread :p
Copy-Paste is more efficient. I am not trying to make a fashion statement or any kind of statement, but you know there are those that will accuse me of doing something rotten. Here on the forums a simple copy-paste will get you falsely accused.
 
Last edited:
Likes: Umbra
P

plat1098

Guest
#4
Can I timidly say something? Speaking of fashion, those are the addresses of your offices? The New York one is right by the Fashion Institute of Technology in midtown Manhattan--I must have walked by that building a hundred times. This is some of the most sought-after unreal estate in the world, believe it!
 
Likes: upnorth