Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/24/2019
10:00 AM
Chris Gerritz
Chris Gerritz
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Commoditization of Multistage Malware Attacks

Malware that used to be advanced is now available to everyone. These three actions could help you stay safer.

As strange as it might sound, a single-stage malware attack might be considered almost old-fashioned in the near future. An organization or user can be attacked with relatively straightforward ransomware that immediately threatens a cryptolock on data if payment is not forthcoming. Nowadays, these single-stage malware attacks have been supplemented and sometimes replaced with far more sophisticated multistage attacks that include an initial downloader, the main component of the malware, and additional modules delivered over a period of days, weeks, or more. 

However, what used to be advanced has now been commoditized. Multistage attack kits and associated malware is now available either at open source code communities or at malware-as-a-service sites that provide downloads to criminals, rogue nations, and other bad actors.   

Trickbot and Emotet
Recent examples of commodity multistage malware include Trickbot and Emotet. Trickbot is a banking Trojan that targets users' financial information and can act as a dropper for other malware. An attacker can leverage TrickBot's modules to steal banking information such as passwords and credit card numbers, conduct system and network reconnaissance, and propagate additional malware across networks or other areas.

Emotet, another banking Trojan, is often used in untargeted "watering hole" attacks ─ everyone who goes to the well gets infected. After systems are compromised, attackers will survey the infected system or network to determine what value the target has. The program can then be used to inject code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be monitored, corrupted via ransomware, or the access can be sold to a third party depending on the motivations of the attacker and the value of the compromised asset.

Increased Dwell Time
One of the reasons that multistage malware poses such a risk to targets is the extended dwell time between when a hack occurs and when it's detected. Between the first and final stages of the attack, the malware has time to move across systems and networks, communicate with the entity behind the attack, and better prepare for an eventual incident involving data theft, espionage, or infrastructure damage.

Although dwell time is a common topic in malware discussions, we believe that current estimates of dwell time need to be revised upward. According to a report by the Ponemon Institute, US companies took an average of 206 days to detect a data breach. However, Infocyte recently conducted a deep analysis of 5 million system scans using our technology and found an average dwell time of 798 days. You read that right. Dwell time of over two years, with some hacks going back to 2011.

Aside from the fact that multistage attacks are orchestrated over a period of time, dwell time with multistage malware is driven by a number of other factors. In some cases, the criminals who originally planted the malware and were waiting to deploy them have been intercepted by law enforcement agencies, so the malware is never activated; no one is left to pull the trigger. In other cases, the malware was never intended to affect the first target organization but to leverage its networks to attack other organizations that contain more valuable assets. In every case, the longer the dwell time, the greater the cost of identifying the breach and addressing the consequences of the attack. 

Three Recommended Actions
How should you respond to the growing proliferation of multistage malware that can be readily acquired and easily customized to target organizations like yours?

  1. The first step is to assume you've already been compromised. Malware may not be actively affecting your business, but that doesn't mean it's not there, capable of stealing passwords, dropping other malware files in other systems, or enabling unauthorized access to your networks that can be sold later to criminal bidders. Assume that malware has, can, and will breach your existing defenses. This means that your IT components cannot be trusted until proven otherwise and should be validated on a regular basis.
  1. Second, fighting infections should always involve more than a single system. Don't play whack-a-mole. You might have detected and eliminated the originating system, but maybe the originating system isn't where the attacker lives now. Eliminate the attacker in one place, and it might pop up in another. Think in terms of your entire IT infrastructure, from endpoints to data stores. 
  1. Finally, consider a thorough compromise assessment from a reputable third-party vendor. (Full disclosure: Infocyte is one of a number of companies offering such a service.) The assessment should identify intrusions, ensure that current endpoints and systems are "clean," determine weaknesses, and gauge the risk of future compromises.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Chris Gerritz is Co-Founder and Chief Product Officer of Infocyte, Inc., developer of the only agentless detection and incident response solution. Chris is a pioneer in defensive cyberspace operations, having established the US Air Force's elite Defensive Counter Cyber ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.