Page 148 - Cyber Defense eMagazine December 2023
P. 148

Missing the Mark on Malware

            According to SpyCloud, information-stealing malware infections (or infostealer infections) preceded over
            one-fifth (22%) of ransomware events for North American & European businesses in 2023. And common
            infostealers such as Racoon, Vidar and Redline further increased the probability within a 16-week period
            between the initial infection and the ransomware event. Based on an analysis of data exfiltrated from
            infected devices in the past year, a similar percentage of victim devices (20%) were equipped with at
            least one antivirus application at the time of the successful infection.

            Threat actors use malware to exfiltrate authentication data, which they buy and sell on the darknet. Using
            this data, criminals can access an organization's network, where they conduct initial exploration and steal
            additional  data  before  deploying  ransomware  to  incapacitate  the  target's  business  operations  or
            furthering the extortion through the theft of sensitive data.

            Security leaders are not unaware of the malware threat. SpyCloud found 98% of IT leaders agreed they
            could improve security by better identifying business applications at risk of infostealer infections. Many
            companies  have  also  begun  taking  technology-driven  countermeasures,  including  automation,
            implementing multi-factor authentication (MFA), and adopting passkeys.

            However, infostealers are challenging to detect and prevent, and security leaders struggle to keep up.
            While organizations can take precautions by educating employees and ensuring software protections are
            up to date, it's impossible to avoid infections entirely, and advanced strains can exfiltrate data and delete
            themselves in seconds – leaving very few indicators that the device was ever compromised.

            Piling on traditional protections like MFA is not the full answer. While implementing MFA is certainly a
            good idea, authentication data stolen by infostealers is not limited to usernames and passwords. This
            data often includes things like cookies, which can enable session hijacking; an unsophisticated attack
            where criminals use stolen cookies or tokens to impersonate a user. This attack gives criminals access
            to already-authenticated sessions, sidestepping the need for credentials, passkeys, and MFA. With all
            the permissions of a legitimate user, criminals can facilitate identity theft, unauthorized transactions, or
            steal additional data.


            With over 22 billion malware-stolen cookie records recaptured by SpyCloud last year, session hijacking
            is a significant threat. Despite this, IT leaders view monitoring for compromised session cookies as the
            third  least  important  ransomware  countermeasure  and  least  risky  entry  point.  The  fact  is,  however,
            addressing ransomware must start with a holistic malware remediation strategy.



            An Elevated Approach for an Elevated Threat

            The most common approach to remediating a malware infection starts and ends with the device and
            network impacted by the infection. However, this approach often ignores data siphoned by an infostealer
            – likely part of the initial attack – which can remain active long after the device has been wiped and the
            malware  removed  from  the  environment.  Cybercriminals  can  use  the  stolen  data  to  launch  repeat
            cyberattacks against organizations and individuals, causing potentially irreparable damage.





            Cyber Defense eMagazine – December 2023 Edition                                                                                                                                                                                                          148
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   143   144   145   146   147   148   149   150   151   152   153