AppGuard Customers Protected Against Process Doppelgänging - Fileless Attack

This week, researchers presented at Black Hat Europe in London information regarding an extremely dangerous new “fileless” attack vector that affects all Windows operating systems. The researchers observed that the attack bypasses many widely used endpoint security tools. AppGuard customers need NOT make any policy adjustments to mitigate risks from such attacks. AppGuard already blocks them.

Details of the new code injection attack can found in the researchers’ Black Hat presentation available online. In short, exploitation of the discovered Windows design flaw involving commonly available Windows system calls (API), enables attackers to inject code into Windows system files or other trusted applications, transforming them into weaponized instruments working for the attackers. Worse, because of the way Windows operates, antivirus, Endpoint Detection and Response (EDR), and other tools are unable to detect and stop these code injections. Sophisticated attackers can further take advantage of this blind spot by leaving little to no indicators of compromise behind, making compromise discovery even more difficult. These new code injection attacks can succeed without leaving a trace.

In-memory tactics became increasingly prevalent in the wild after application whitelisting cyber controls became widely adopted by the enterprise. This is because whitelisting only prevents unknown executables from launching. Such tools do NOT contain what trusted applications do after they launch. In the Doppleganging code injection attack, the malicious code is inserted into the application during the program load stage.

Based on the revealed tests using the new code injection attack, none of the well-known antivirus products, including much hyped Machine Learning/Artificial Intelligence antivirus products, were able to detect and stop the attack. The products are listed in the Black Hat presentation.

When the Doppleganging code injection attack is used in the wild, it will typically be launched in the form of phishing, drive by download, or via weaponized document. AppGuard will defeat such attacks in the earliest Doppleganging stages, preventing the adversaries from transforming other processes on the endpoint into unbounded malicious instruments.

The Doppleganging attack potential helps illustrate the downside to reliance on a ‘detect and react’ posture. It requires the enterprise to employ an army of highly skilled analysts to sift through mountains of alerts from many different sources. Check out our recent blog post on cyber alerts fatigue. Despite the army of analysts, the array of tools and services, and the workflow overhead, the time to detect data breaches is usually measured in months. Ponemon reported a median of just over 6 months. How long can the enterprise sustain these costs and labor challenges that grow year after year? The enterprise cannot afford to accept endpoint compromises as an unavoidable new normal. It needs to keep fighting the good fight, preventing compromises at the endpoint. Much of the enterprise cyber program costs depends on what happens at the endpoint.