6 ways malware can bypass endpoint protection

Sixty-three percent of IT security professionals say the frequency of attacks has gone up over the past 12 months, according to Ponemon’s 2018 State of Endpoint Security Risk report — and 52% of respondents say all attacks cannot be realistically stopped. Their antivirus solutions are blocking only 43% of attacks. Sixty-four percent of respondents said that their organizations had experienced one or more endpoint attacks that resulted in a data breach.

The report, which was based on a survey of 660 IT security professionals, showed that most (70%) said that new and unknown threats to their organizations have increased, while the cost of a successful attack has increased from an average of $5 million to $7.1 million.

However, nearly every computer has some form of protection built in. So why are the attackers still getting through? These are the top methods attackers use to bypass endpoint protection security.

1. Script-based attacks

In a script-based or “fileless” attack, the malware is actually a script that runs in an existing, legitimate application to leverage PowerShell or use other already-installed Windows components. There’s no new software being installed, so many traditional defenses are bypassed.

According to Ponemon, these kinds of attacks are significantly more likely to result in a successful breach, and they’re going up, from 30% of all attacks in 2017 to 35% last year. “There would be very few artifacts — for example no actual malware binary to scan,” says Jérôme Segura, senior security researcher at Malwarebytes.

There could be some network traffic that could be picked up by security systems. “However, attackers can encrypt those communications as well and use a trusted communication route to exfiltrate the data quietly,” he says.

According to the Symantec Internet Security Threat Report, released earlier this year, the use of malicious PowerShell scripts increased 1000% last year. Attackers use PowerShell by, for example, executing commands that are not readable by humans such as base64-encoded commands, says Naaman Hart, cloud services security architect at Digital Guardian. “PowerShell is a necessity these days and therefore it’s generally always available for exploit.”

The key to catching these kinds of attacks is to look for instances where common applications are executing uncommon operations, Hart says. “If, for example, you tracked the last thousand executed commands in your environment, you’d be looking for the ones that occurred less than five times,” he says. “This will generally lead to the uncommon commands, which are more often than not the ones that are nefarious.”

2. Hosting malicious sites on popular infrastructure

Many security platforms defend against phishing attacks by preventing users from clicking on malicious links. For example, they might check if a particular IP address has been associated with other malware campaigns. “However, if you host it on something like Azure or Google cloud, then this is infrastructure that is widely used and cannot be blacklisted,” says Segura. Slack, GitHub, and other collaboration tools can also be used to help bypass defenses.

Once malware has already been installed, it often communicates back to command-and-control (C&C) servers to get instructions for what to do next and to exfiltrate data. Again, this communication channel can be disguised if the C&C server is hosted on an otherwise legitimate platform.

Plus, these services have built-in encryption features, says Liviu Arsene, senior e-threat analyst at Bitdefender. Even online photo-sharing sites can be used as part of attacks. “Attackers create social media accounts and upload photos that contain hidden code or instructions within the image,” he says. “The malware is then instructed to simply access the account, look at the most recent picture, pull the set of instructions hidden in the image, and then execute the instructions.”

To the IT department and corporate security teams, it will just look as if the employee is browsing social media. This is hard to catch. Even the latest generation of endpoint protection technology will have trouble since the attackers are mimicking normal user behavior.

To guard against this, defenders may want to look for instances where these otherwise normal communications are taking place at unusual times, or when an application isn’t typically used by a department.

The technique of hiding commands in images, called steganography, can also be used to hide commands in image attachments. In May, ESET published a report about Turla LightNeuron, a backdoor designed to target Microsoft Exchange mail servers. According to ESET, LightNeuron uses emails to communicate with its command and control servers, and hides the messages in image attachments, such as PDFs or JPGs.

3. Poisoning legitimate applications and utilities

Every enterprise has a multitude of third-party apps, tools and utilities used by employees. If attackers compromise those applications by getting into the companies that develop them, into the upgrade utilities, or into the codebase of open source projects, they can install backdoors and other malicious code. “For example, Cleaner, a popular computer utility for cleaning potentially unwanted files and registry entries from a computer, was tainted with a backdoor,” says Arsene.

According to the Symantec Internet Security Threat Report, the number of attacks that targeted the software supply chain rose by 78% in 2018.

Open-source code is particularly vulnerable, says Tim Mackey, principal security strategist at Synopsys. First, attackers contribute a legitimate bug fix or software improvement that actually works. “The legitimate code is there to mask any malicious code in an effort to pass the review process,” he says.

If the review process doesn’t vet the full functionality of the contribution, the contribution becomes part of a future release of the software, Mackey says, “but more importantly could become part of a branch of that component embedded into commercial software packages.”

To defend against this, enterprises and software developers must be careful to inspect software for open-source code, Mackey says, and then map that code back to its precise origin so that it can be removed or remediated quickly once spotted.

4. Sandbox evasion

One common feature of next-gen endpoint protection platforms is sandboxing, where unknown malware is detonated within a safe, virtual environment. This is a useful technique when attackers are constantly modifying malware so that it isn’t picked up by signature-based defenses.

“A hacker can also easily bypass such filters,” says Oliver Münchow, founder at Lucy Security. They do this by writing the malware in such a way that it only activates the bad behavior outside the sandbox. For example, it might only activate when a real person interacts with it, or when other criteria are met.

There might be a delay, for example. Malware might wait hours, or days, or even weeks before it detonates, allowing the infection to spread as far as possible before the payload is triggered. Or the malware can simply check if it’s running in a hypervisor environment. For example, the latest version of the JasperLoader malware queries the Windows Management Instrumentation subsystem to find out where it’s running, and if it’s on VirtualBox VMware, or KVM it terminates execution, according to a May report from Cisco Talos.

5. Unpatched vulnerabilities

EternalBlue, a security tool first developed by the National Security Agency (NSA), was leaked online in 2017. Since then, EternalBlue has been implicated in attacks against the British healthcare system, a $400 million attack on FedEx, a $670 million attack on Merck, and many other targets — even though Microsoft had quickly released a patch.

Most recently, Baltimore was hit by a ransomware attack that reportedly used the EternalBlue vulnerability. And Baltimore isn’t alone. According to security firm ESET, the number of attack attempts involving EternalBlue have been rising since 2017 and have reached historic peaks this spring. Almost a million machines in the world still use the obsolete, vulnerable SMB v1 protocol, and more than 400,000 of them are in the U.S., ESET reported.

According to Ponemon, 65% of organizations said that keeping up with patches was challenging or extremely challenging.

6. Taking down the security agents

In April, Absolute Security released the results of a year-long global study of six million devices. The average device has ten security agents. That’s a lot of endpoint protection. However, it isn’t always as effective as it could be. To start with, the agents overlap, collide and interfere with one another. At any given point in time, 7% of endpoints are missing protection and 21% have outdated systems.

Even if the endpoint protection security is installed, up-to-date and fully effective, once attackers gain a foothold — such as by the use of EternalBlue — they have several ways to turn off endpoint protection services. For example, they can use an existing legitimate application such as PowerShell, says Humberto Gauna, consultant at BTB Security.

They can also launch a denial of service attack against the endpoint security agents, overwhelming them so that they are no longer able to function, or they might be able to take advantage of agents that haven’t been properly configured, Gauna adds. Then, attackers make changes to the registry to escalate privileges, so that they can override the endpoint protection services once they resume.  

The way to protect against it is by creating a more rigorous privilege hierarchy, Gauna says, and by consistent patching.

All the above methods are sophisticated. They typically show up in attacks from nation-state attackers.

Well, they used to. Now, they’re being used by a much broader set of attackers, says Justin Shattuck, director of threat research at Baffin Bay Networks, a cybersecurity company based in Sweden. “This is really problematic,” he says.

The attacks are packaged on the dark web in a way that allows less technical people to use them, Shattuck says. Not only does it increase the number of sophisticated attacks that enterprises have to defend against, but it also makes it harder for authorities to intervene. “The less-technical people take all the risk,” he says. “If they get caught, we’re often unable to get at the people packaging and delivering the capabilities.”