AppGuard Customers Protected Against Process Doppelgänging - Fileless Attack

Discussion in 'AppGuard (Blue Ridge Networks)' started by Lockdown, Dec 10, 2017.

  1. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,826
    AppGuard LLC Virginia, U.S.
    #1 Lockdown, Dec 10, 2017
    Last edited: Dec 10, 2017
    Official Website:
    https://www.appguard.us/blog/process-doppelgnging
    [​IMG]
    AppGuard Customers Protected Against Process Doppelgänging - Fileless Attack
    Eirik Iverson
    December 8, 2017
    Cybersecurity, Malicious Code Attacks


    This week, researchers presented at Black Hat Europe in London information regarding an extremely dangerous new “fileless” attack vector that affects all Windows operating systems. The researchers observed that the attack bypasses many widely used endpoint security tools. AppGuard customers need NOT make any policy adjustments to mitigate risks from such attacks. AppGuard already blocks them.

    Details of the new code injection attack can found in the researchers’ Black Hat presentation available online. In short, exploitation of the discovered Windows design flaw involving commonly available Windows system calls (API), enables attackers to inject code into Windows system files or other trusted applications, transforming them into weaponized instruments working for the attackers. Worse, because of the way Windows operates, antivirus, Endpoint Detection and Response (EDR), and other tools are unable to detect and stop these code injections. Sophisticated attackers can further take advantage of this blind spot by leaving little to no indicators of compromise behind, making compromise discovery even more difficult. These new code injection attacks can succeed without leaving a trace.

    In-memory tactics became increasingly prevalent in the wild after application whitelisting cyber controls became widely adopted by the enterprise. This is because whitelisting only prevents unknown executables from launching. Such tools do NOT contain what trusted applications do after they launch. In the Doppleganging code injection attack, the malicious code is inserted into the application during the program load stage.

    Based on the revealed tests using the new code injection attack, none of the well-known antivirus products, including much hyped Machine Learning/Artificial Intelligence antivirus products, were able to detect and stop the attack. The products are listed in the Black Hat presentation.

    When the Doppleganging code injection attack is used in the wild, it will typically be launched in the form of phishing, drive by download, or via weaponized document. AppGuard will defeat such attacks in the earliest Doppleganging stages, preventing the adversaries from transforming other processes on the endpoint into unbounded malicious instruments.

    The Doppleganging attack potential helps illustrate the downside to reliance on a ‘detect and react’ posture. It requires the enterprise to employ an army of highly skilled analysts to sift through mountains of alerts from many different sources. Check out our recent blog post on cyber alerts fatigue. Despite the army of analysts, the array of tools and services, and the workflow overhead, the time to detect data breaches is usually measured in months. Ponemon reported a median of just over 6 months. How long can the enterprise sustain these costs and labor challenges that grow year after year? The enterprise cannot afford to accept endpoint compromises as an unavoidable new normal. It needs to keep fighting the good fight, preventing compromises at the endpoint. Much of the enterprise cyber program costs depends on what happens at the endpoint.

    Tagged: Process Doppelgänging, fileless attack, Windows Operating Systems, Cybersecurity

    4 Likes
    Share



    Older PostKeep Calm And… Here Is A List Of Alarming Cybersecurity Statistics

    Contact Us
    Support

    VA Office

    14120 Parke Long Court
    Suite 103
    Chantilly, VA 20151
    USA

    NY Office

    333 Seventh Avenue
    10th Floor
    New York, NY 10001
    USA


    Tokyo Office
    (Blue Planet-works, Inc.)

    Daiwa Jingumae Bldg., 3Fl2-4-11 Jingumae
    Shibuya-Ku Tokyo,
    150 - 0002
    Japan

    [​IMG]
    A Blue Planet-works Company

    Terms of Use | Privacy Policy | All Right Reserved, © 2017. AppGuard, LLC. Blue Planet-Works Company
     
    In2an3_PpG, Umbra, harlan4096 and 4 others like this.
  2. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,162
    29,625
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    I think we can't miss it is appguard thread :p
     
  3. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,826
    AppGuard LLC Virginia, U.S.
    #3 Lockdown, Dec 10, 2017
    Last edited: Dec 10, 2017
    Copy-Paste is more efficient. I am not trying to make a fashion statement or any kind of statement, but you know there are those that will accuse me of doing something rotten. Here on the forums a simple copy-paste will get you falsely accused.
     
    Umbra likes this.
  4. plat1098

    plat1098 Level 5

    Aug 23, 2017
    227
    1,332
    Brooklyn
    Windows 10
    Microsoft
    Can I timidly say something? Speaking of fashion, those are the addresses of your offices? The New York one is right by the Fashion Institute of Technology in midtown Manhattan--I must have walked by that building a hundred times. This is some of the most sought-after unreal estate in the world, believe it!
     
    upnorth likes this.
Loading...
Similar Threads Forum Date
How to configure AppGuard to be use on a gaming PC? AppGuard (Blue Ridge Networks) Friday at 6:06 PM
Q&A AppGuard + Spectre/Meltdown General Security Discussions Jan 9, 2018
AppGuard LLC Partners with SheepDog Response AppGuard (Blue Ridge Networks) Jan 2, 2018