Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/24/2019
10:00 AM
Chris Gerritz
Chris Gerritz
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Commoditization of Multistage Malware Attacks

Malware that used to be advanced is now available to everyone. These three actions could help you stay safer.

As strange as it might sound, a single-stage malware attack might be considered almost old-fashioned in the near future. An organization or user can be attacked with relatively straightforward ransomware that immediately threatens a cryptolock on data if payment is not forthcoming. Nowadays, these single-stage malware attacks have been supplemented and sometimes replaced with far more sophisticated multistage attacks that include an initial downloader, the main component of the malware, and additional modules delivered over a period of days, weeks, or more. 

However, what used to be advanced has now been commoditized. Multistage attack kits and associated malware is now available either at open source code communities or at malware-as-a-service sites that provide downloads to criminals, rogue nations, and other bad actors.   

Trickbot and Emotet
Recent examples of commodity multistage malware include Trickbot and Emotet. Trickbot is a banking Trojan that targets users' financial information and can act as a dropper for other malware. An attacker can leverage TrickBot's modules to steal banking information such as passwords and credit card numbers, conduct system and network reconnaissance, and propagate additional malware across networks or other areas.

Emotet, another banking Trojan, is often used in untargeted "watering hole" attacks ─ everyone who goes to the well gets infected. After systems are compromised, attackers will survey the infected system or network to determine what value the target has. The program can then be used to inject code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be monitored, corrupted via ransomware, or the access can be sold to a third party depending on the motivations of the attacker and the value of the compromised asset.

Increased Dwell Time
One of the reasons that multistage malware poses such a risk to targets is the extended dwell time between when a hack occurs and when it's detected. Between the first and final stages of the attack, the malware has time to move across systems and networks, communicate with the entity behind the attack, and better prepare for an eventual incident involving data theft, espionage, or infrastructure damage.

Although dwell time is a common topic in malware discussions, we believe that current estimates of dwell time need to be revised upward. According to a report by the Ponemon Institute, US companies took an average of 206 days to detect a data breach. However, Infocyte recently conducted a deep analysis of 5 million system scans using our technology and found an average dwell time of 798 days. You read that right. Dwell time of over two years, with some hacks going back to 2011.

Aside from the fact that multistage attacks are orchestrated over a period of time, dwell time with multistage malware is driven by a number of other factors. In some cases, the criminals who originally planted the malware and were waiting to deploy them have been intercepted by law enforcement agencies, so the malware is never activated; no one is left to pull the trigger. In other cases, the malware was never intended to affect the first target organization but to leverage its networks to attack other organizations that contain more valuable assets. In every case, the longer the dwell time, the greater the cost of identifying the breach and addressing the consequences of the attack. 

Three Recommended Actions
How should you respond to the growing proliferation of multistage malware that can be readily acquired and easily customized to target organizations like yours?

  1. The first step is to assume you've already been compromised. Malware may not be actively affecting your business, but that doesn't mean it's not there, capable of stealing passwords, dropping other malware files in other systems, or enabling unauthorized access to your networks that can be sold later to criminal bidders. Assume that malware has, can, and will breach your existing defenses. This means that your IT components cannot be trusted until proven otherwise and should be validated on a regular basis.
  1. Second, fighting infections should always involve more than a single system. Don't play whack-a-mole. You might have detected and eliminated the originating system, but maybe the originating system isn't where the attacker lives now. Eliminate the attacker in one place, and it might pop up in another. Think in terms of your entire IT infrastructure, from endpoints to data stores. 
  1. Finally, consider a thorough compromise assessment from a reputable third-party vendor. (Full disclosure: Infocyte is one of a number of companies offering such a service.) The assessment should identify intrusions, ensure that current endpoints and systems are "clean," determine weaknesses, and gauge the risk of future compromises.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Chris Gerritz is Co-Founder and Chief Product Officer of Infocyte, Inc., developer of the only agentless detection and incident response solution. Chris is a pioneer in defensive cyberspace operations, having established the US Air Force's elite Defensive Counter Cyber ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...