Mike Wilson is the Founder & CTO of Enzoic, a cybersecurity company that helps prevent account takeover of employee and customer accounts.
Malware is a growing threat to organizations and individuals. One increasingly popular variant is information-stealing malware (infostealers), which is malicious software designed to steal data.
Unlike ransomware, where information is held hostage, infostealer attacks happen covertly, and the growth has been driven by the explosion in connected devices coupled with the ease of trading information on the dark web. To provide perspective on the magnitude of the problem, research by Secureworks found that the volume of credentials for sale on the dark web from infostealers grew 150% between June 2022 and February 2023.
Infostealers 101
Infostealers is a type of malware as a service (MaaS) that extracts data from infected devices. The information is then sold and published as logs on the dark web.
The MaaS model has lowered the barrier to entry and driven up the risk, with research by Kaspersky finding that 24% of malware sold as a service is now infostealers. Bad actors lease malicious software from the dark web to carry out cyberattacks. Once installed, it stealthily gathers data such as usernames, passwords, dates of birth, home addresses, bank account numbers, credit card information, cellphone numbers, cookies and session IDs.
Infostealers allow criminals of limited means and technical knowledge to deploy the software and start accessing networks. The August 2023 Blackberry Global Threat Intelligence Report highlighted that healthcare and financial services are the most targeted sectors with infostealers.
Infostealers Sources
Infostealers can be extremely challenging to prevent for numerous reasons, including the fact that they often originate via the following avenues:
• Supply chain attacks. Bad actors intentionally target less secure elements in the supply chain and install infostealers malware to obtain access to more sensitive systems and files. Once a system is infected with the malicious software, it can then easily access any corporate resources on the network such as VPNs, internal websites or corporate accounts.
• Fileless attacks. Another issue is that infostealers often take the form of fileless malware. These attacks use native, legitimate tools to infiltrate—unlike traditional malware that requires threat actors to install code on an enterprise system. Because nothing is written, it’s much more difficult for traditional endpoint security solutions to detect.
Threat Mitigation Solutions
What can enterprises do to defend against the growing threat?
Modern endpoint detection and response (EDR) and anti-malware tools are evolving to try to protect against infostealers, along with new anti-malware capabilities and other threat mitigation strategies.
Let’s examine the various options and why they can’t effectively combat the threat.
EDR
These solutions provide intelligence on threats and how they spread across the network. EDR products analyze telemetry from endpoints to obtain information that security teams can use to understand how an attack occurred, how future threats might materialize and what the organization can do to prevent those attacks. In addition, administrators can isolate endpoints under attack to prevent it from spreading.
However, there are several weaknesses with this technology, including:
• Additional burden on security teams. EDR requires a lot of manual input from security teams, many of whom are already struggling with the volume of work.
• False positives. EDR solutions do not delete suspected malware but simply capture the files they perceive as threats, which can cause spurious results.
• Significant training. Teams must be trained to accurately separate genuine threats from false positives, which can be a taxing imperative for busy security teams that are understaffed and undertrained.
Anti-Malware
Anti-malware software typically deploys signature-based malware detection, behavior-based malware detection or sandboxing to identify malicious software and prevent networks from being infected.
However, it has weaknesses of its own:
• System slowdown. These programs can negatively impact system speed and also cause network lags.
• No zero-day protection. Anti-malware cannot prevent zero-day attacks. This is a seismic weakness in the fight against infostealers. In 2022, the RedLine infostealer exploited a zero-day vulnerability to steal data from global brands.
In addition, EDR and anti-malware fail to address basic password vulnerabilities. With reuse still pervasive, tackling the credential problem is a central component of combatting infostealers. Adding another layer to screen credentials is vital to address the weaknesses with EDR and anti-malware options.
Threat Intelligence Is Vital
Early detection is essential, as any delay in identifying infostealers may result in the compromise of important accounts and, from there, the exposure of sensitive data. To help mitigate the risk, organizations need threat intelligence to ensure that if sensitive information or credentials are exposed in third-party breaches or infostealers logs, they can take quick action to prevent a breach.
Companies must integrate a proactive threat intelligence solution to mitigate the risks. To select the right solution, they should talk to industry analysts to get unbiased advice. However, don’t just consult legacy companies; connect with independents focused on cybersecurity—particularly those with a white hat hacker on staff. While this may seem time-consuming, it avoids potential problems further down the line.
In addition to seeking advice, organizations should take the following steps:
• Bring your own device (BYOD). Tighten policies to restrict devices that don’t meet company standards and have unsafe apps installed (such as gaming or dating sites) that are often infostealer entry points. This reduces the risk of infostealer malware from a personal site that could expose the corporate data contained on the device.
• Training. Regular internal training on the threat landscape is essential to keep employees aware of the latest tactics. For example, they need to understand how to identify a fake website from a legitimate one.
• Software updates. Ensure malware and antivirus software are up to date, and prevent users from accessing the company network until this is done.
Infostealers: Here To Stay
With infostealers continuing to flourish, companies can’t bury their head in the sand and hope they won’t be impacted. An example of the volatility is the Racoon Infostealer, which was shut down in 2022 and resurfaced in the summer of 2023 on the dark web with improved functionality. Organizations must remain vigilant and modernize their security strategies to enhance and strengthen their defenses against the ever-changing cyber threat landscape.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here