Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/24/2019
10:00 AM
Chris Gerritz
Chris Gerritz
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Commoditization of Multistage Malware Attacks

Malware that used to be advanced is now available to everyone. These three actions could help you stay safer.

As strange as it might sound, a single-stage malware attack might be considered almost old-fashioned in the near future. An organization or user can be attacked with relatively straightforward ransomware that immediately threatens a cryptolock on data if payment is not forthcoming. Nowadays, these single-stage malware attacks have been supplemented and sometimes replaced with far more sophisticated multistage attacks that include an initial downloader, the main component of the malware, and additional modules delivered over a period of days, weeks, or more. 

However, what used to be advanced has now been commoditized. Multistage attack kits and associated malware is now available either at open source code communities or at malware-as-a-service sites that provide downloads to criminals, rogue nations, and other bad actors.   

Trickbot and Emotet
Recent examples of commodity multistage malware include Trickbot and Emotet. Trickbot is a banking Trojan that targets users' financial information and can act as a dropper for other malware. An attacker can leverage TrickBot's modules to steal banking information such as passwords and credit card numbers, conduct system and network reconnaissance, and propagate additional malware across networks or other areas.

Emotet, another banking Trojan, is often used in untargeted "watering hole" attacks ─ everyone who goes to the well gets infected. After systems are compromised, attackers will survey the infected system or network to determine what value the target has. The program can then be used to inject code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be monitored, corrupted via ransomware, or the access can be sold to a third party depending on the motivations of the attacker and the value of the compromised asset.

Increased Dwell Time
One of the reasons that multistage malware poses such a risk to targets is the extended dwell time between when a hack occurs and when it's detected. Between the first and final stages of the attack, the malware has time to move across systems and networks, communicate with the entity behind the attack, and better prepare for an eventual incident involving data theft, espionage, or infrastructure damage.

Although dwell time is a common topic in malware discussions, we believe that current estimates of dwell time need to be revised upward. According to a report by the Ponemon Institute, US companies took an average of 206 days to detect a data breach. However, Infocyte recently conducted a deep analysis of 5 million system scans using our technology and found an average dwell time of 798 days. You read that right. Dwell time of over two years, with some hacks going back to 2011.

Aside from the fact that multistage attacks are orchestrated over a period of time, dwell time with multistage malware is driven by a number of other factors. In some cases, the criminals who originally planted the malware and were waiting to deploy them have been intercepted by law enforcement agencies, so the malware is never activated; no one is left to pull the trigger. In other cases, the malware was never intended to affect the first target organization but to leverage its networks to attack other organizations that contain more valuable assets. In every case, the longer the dwell time, the greater the cost of identifying the breach and addressing the consequences of the attack. 

Three Recommended Actions
How should you respond to the growing proliferation of multistage malware that can be readily acquired and easily customized to target organizations like yours?

  1. The first step is to assume you've already been compromised. Malware may not be actively affecting your business, but that doesn't mean it's not there, capable of stealing passwords, dropping other malware files in other systems, or enabling unauthorized access to your networks that can be sold later to criminal bidders. Assume that malware has, can, and will breach your existing defenses. This means that your IT components cannot be trusted until proven otherwise and should be validated on a regular basis.
  1. Second, fighting infections should always involve more than a single system. Don't play whack-a-mole. You might have detected and eliminated the originating system, but maybe the originating system isn't where the attacker lives now. Eliminate the attacker in one place, and it might pop up in another. Think in terms of your entire IT infrastructure, from endpoints to data stores. 
  1. Finally, consider a thorough compromise assessment from a reputable third-party vendor. (Full disclosure: Infocyte is one of a number of companies offering such a service.) The assessment should identify intrusions, ensure that current endpoints and systems are "clean," determine weaknesses, and gauge the risk of future compromises.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Chris Gerritz is Co-Founder and Chief Product Officer of Infocyte, Inc., developer of the only agentless detection and incident response solution. Chris is a pioneer in defensive cyberspace operations, having established the US Air Force's elite Defensive Counter Cyber ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5098
PUBLISHED: 2019-12-05
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. A specially crafted pixel shader can cause out-of-bounds memory read. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be trigger...
CVE-2012-1104
PUBLISHED: 2019-12-05
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
CVE-2019-17387
PUBLISHED: 2019-12-05
An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client through 2.2.10 allows an attacker to gain elevated privileges through arbitrary code execution on Windows, Linux, and macOS.
CVE-2019-17388
PUBLISHED: 2019-12-05
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.
CVE-2019-18381
PUBLISHED: 2019-12-05
Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cross origin resource sharing (CORS) vulnerability, which is a type of issue that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.