Page 148 - Cyber Defense eMagazine December 2023
P. 148
Missing the Mark on Malware
According to SpyCloud, information-stealing malware infections (or infostealer infections) preceded over
one-fifth (22%) of ransomware events for North American & European businesses in 2023. And common
infostealers such as Racoon, Vidar and Redline further increased the probability within a 16-week period
between the initial infection and the ransomware event. Based on an analysis of data exfiltrated from
infected devices in the past year, a similar percentage of victim devices (20%) were equipped with at
least one antivirus application at the time of the successful infection.
Threat actors use malware to exfiltrate authentication data, which they buy and sell on the darknet. Using
this data, criminals can access an organization's network, where they conduct initial exploration and steal
additional data before deploying ransomware to incapacitate the target's business operations or
furthering the extortion through the theft of sensitive data.
Security leaders are not unaware of the malware threat. SpyCloud found 98% of IT leaders agreed they
could improve security by better identifying business applications at risk of infostealer infections. Many
companies have also begun taking technology-driven countermeasures, including automation,
implementing multi-factor authentication (MFA), and adopting passkeys.
However, infostealers are challenging to detect and prevent, and security leaders struggle to keep up.
While organizations can take precautions by educating employees and ensuring software protections are
up to date, it's impossible to avoid infections entirely, and advanced strains can exfiltrate data and delete
themselves in seconds – leaving very few indicators that the device was ever compromised.
Piling on traditional protections like MFA is not the full answer. While implementing MFA is certainly a
good idea, authentication data stolen by infostealers is not limited to usernames and passwords. This
data often includes things like cookies, which can enable session hijacking; an unsophisticated attack
where criminals use stolen cookies or tokens to impersonate a user. This attack gives criminals access
to already-authenticated sessions, sidestepping the need for credentials, passkeys, and MFA. With all
the permissions of a legitimate user, criminals can facilitate identity theft, unauthorized transactions, or
steal additional data.
With over 22 billion malware-stolen cookie records recaptured by SpyCloud last year, session hijacking
is a significant threat. Despite this, IT leaders view monitoring for compromised session cookies as the
third least important ransomware countermeasure and least risky entry point. The fact is, however,
addressing ransomware must start with a holistic malware remediation strategy.
An Elevated Approach for an Elevated Threat
The most common approach to remediating a malware infection starts and ends with the device and
network impacted by the infection. However, this approach often ignores data siphoned by an infostealer
– likely part of the initial attack – which can remain active long after the device has been wiped and the
malware removed from the environment. Cybercriminals can use the stolen data to launch repeat
cyberattacks against organizations and individuals, causing potentially irreparable damage.
Cyber Defense eMagazine – December 2023 Edition 148
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.