Infostealers: What are they & far-reaching effects on data security – CyberTalk

Infostealers: What are they & far-reaching effects on data security – CyberTalk

By Hendrik De Bruin, Security Engineer, Check Point Software Technologies.

Infostealers…ransomware’s lesser-known cousin

When it comes to malware, ransomware usually steals the limelight, largely because of the direct, devastating impact that ransomware often causes. However, ransomware’s lesser-known cousin, the “infostealer,” is slowly but surely gaining ever-more attention.

Over the last few years, we have noticed a massive increase in the usage of infostealers. In fact, some research suggests as much as 5,900% growth since 2018. Statistics also indicate that during 2023, over 10 million devices were compromised by info stealing malware, reflecting an increase of 643% over the past three years.

An infostealer is a type of malware designed to infiltrate computer systems, not for purposes of data encryption like ransomware or data deletion like “wipers”, but specifically designed to steal sensitive information.

These malicious programs exfiltrate various data, including login credentials, session cookies, financial information, and personally identifiable information (PII). After harvesting and capturing the sensitive information, the infostealer sends it back to remote servers controlled by cyber criminals.

Once cyber criminals obtain the sensitive information, it is sold on the dark web to various nefarious actors, such as “Initial Access Brokers” who use the info to facilitate larger attacks, like ransomware attacks.

Infostealers…And their real-life impact

To showcase the impact that infostealers can have and to reinforce that infostealers deserve more attention, we can look at two recent incidents: a breach reported at Ticketmaster and at a major European bank.

In both cases, malicious actors gained access to information stored at a third-party service provider called Snowflake. Snowflake offers a cloud-based data storage and analytics service, often referred to as “data-as-a-service”.

During these breaches, attackers simply used credentials — which were most likely obtained through infostealers — to access associated Snowflake accounts, leading to the sale of information belonging to more than 550 million Ticketmaster customers on the dark web.

The info was sold by a group known as “ShinyHunters”, a known player in the infostealer business that’s notorious for using legitimate credentials to obtain initial access.

The ShinyHunters group also claims to have information related to 30 million customers and 28 million credit card numbers associated with the breached banking institution.

Although we focus on these two instances here, they reflect two of at least 165 Snowflake customer accounts that were accessed by this specific threat actor using credentials harvested through infostealers.

How can organisations protect themselves?

Although there may have been various security oversights involved with the two aforementioned breaches, I believe the following three factors played the biggest role:

Another factor that often plays a role when it comes to SaaS security is the popular misconception that the Cloud Service Provider is responsible for your data in the cloud. In reality, YOU as the customer remain responsible and accountable for the security of and access control to data in the cloud.

1. Lack of end user email and browser protection – Among cyber criminals, the most popular means of malware delivery are through email and internet downloads. Not having adequate email and browser security allowed for the initial delivery of the malware.

2. Lack of endpoint protection – Endpoint devices were not properly secured against malware such as infostealers, allowing the malware to be deployed on devices.

3. Lack of SaaS security – The absence of additional security controls, such as Multi-Factor Authentication, allowed for easy access using stolen credentials.

Let’s unpack the items listed above to get a better understanding of how each played a role in the mentioned breaches.

Email and browser protection

Infostealers are typically delivered through internet downloads, phishing emails and or other social engineering attacks.

Your first line of defense for the delivery of infostealers lies in the deployment of email security and anti-phishing solutions such as Harmony Email and Collaboration, which will prevent the delivery of phishing emails and emails containing malware.

Further, should a malicious email be delivered containing a malicious link, having adequate browser protection should prevent the browser from accessing the link and malware from being downloaded.

Internet access control and browser security solutions, such as Harmony SASE Internet Access, will prevent the download of malicious files and restrict corporate password re-use on non-corporate websites.

Corporate password re-use and other password best practices

Although passwords should NEVER be used as the only means of authentication, we often still find this to be the case for various organisations and applications. NIST and other similar institutions provide various guidelines and best practices related to passwords. However, it is also important to note that other than corporate password re-use restrictions, none of these password recommendations from NIST or other similar institutions would have really offered protection from infostealers; mainly because infostealers exfiltrate cleartext passwords.

If you still rely on passwords, the following guidelines from NIST may assist you:

  • Increase password length – Password length matters more than complexity.
  • Avoid corporate password re-use – Ensuring that corporate passwords aren’t re-used for other platforms, such as social media, will keep your corporate credentials and systems protected from external credential breaches.
  • Breached password protection – Ensure that attempted password updates do not contain known breached passwords
  • Password rotation – Contrary to popular beliefs, the NIST advises against rotating passwords too often and regards 30 to 60 days as too often. Ninety days may be a fair compromise.

Endpoint protection and response

From an endpoint perspective, Endpoint Detection and Response (EDR) remains as one of the primary defenses against malware such as infostealers. EDR solutions typically include both signature-based detection mechanisms as well as behaviour based detection mechanisms, which include analyses of data to detect suspicious activity, such as indicators of compromise (IOCs).

A solution like Check Point’s Harmony Endpoint leverages Check Point’s ThreatCloud; a dynamically updated service based on an innovative global network of threat sensors and organisations that share threat data. It collaboratively fights against modern malware by aggregating and analysing big data telemetry and millions of Indicators of Compromise (IoCs).

Over 50 AI-based engines analyze this data. These engines detect and neutralize novel threats, ensuring that both known and unknown threats are addressed and prevented.

Multi-factor authentication

Most Software as a Service (SaaS) offerings have multi-factor authentication available as a configurable option. If your organisation is making use of SaaS offerings, it is critical that multi-factor authentication is configured. Password authentication alone is NOT adequate and should never be used, especially not on publicly exposed SaaS applications.

Although multi-factor authentication may not have completely eliminated the chances of these breaches occurring, it would have at the very least forced far greater costs and efforts onto the attackers. These efforts would also have to involve additional threat vectors, thereby increasing the probability of detection.

The adoption of cloud services, in combination with the “hybrid workforce” has significantly increased organisations’ attack surfaces, leading to greater exposure, risk and complexities. To overcome this, organisations are looking at adopting solutions such as Zero-Trust and SASE.

Zero-Trust

Zero-Trust, at its core, revolves around the idea of NO ACCESS or ZERO ACCESS, unless we can explicitly identify the device, the individual using the device and the security posture associated with both the device and the user. Zero Trust also enforces further concepts such as “least privilege.”

Zero-Trust Network Access (ZTNA) is still often perceived as being a very costly, time consuming and difficult exercise. However, modern solutions, such as Secure Access Service Edge (SASE), really simplify the implementation of Zero Trust.

In this specific instance, SASE with Secure Internet Browsing would have prevented the download of malware or infostealers from the internet.

The deployment of SASE would also allow organisations to further secure their SaaS applications by enforcing IP address based access restrictions on the SaaS application itself.

This will ensure access to the SaaS application ONLY if the device adheres to corporate security posture restrictions and your identity have the appropriate permissions.

In Conclusion

The threat posed by infostealers deserves the same attention as that posed by ransomware, and perhaps even more so, as infostealers often serve as enablers for much larger cyber attacks and breaches.

In the past, we have observed credentials obtained from infostealers being used for initial access during other malicious activities. These stolen credentials open a broader exploitation landscape, which could include personal accounts, corporate accounts, and even infrastructure access through VPNs and cloud management interfaces.

Protection from the risks posed by infostealers require a holistic approach, bringing us back to “good ole” “defense-in-depth”.

First, prevent the initial delivery of infostealers by protecting end users from malicious emails, websites and malware via email and internet access security controls.

Secondly, should email and internet access security controls fail, having an endpoint detection and response solution deployed should prevent the infostealer from being installed on devices and/or prevent credentials from being exfiltrated.

Other controls, such as Zero-Trust frameworks and SASE, further support the concept of defense in depth by preventing access; even with adequate credentials should other factors such as geo-location, device posture and so forth not check out.

Professional services, such as penetration testing, external attack surface assessments and continuous threat exposure management can also assist in reducing the risk posed by infostealers, as they can highlight weak security controls, such as password-only authentication.

For more insights from Hendrik de Bruin, please see CyberTalk.org’s past coverage. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.

Buildots Secures $15M Investment from Intel Capital to Drive Strategic Growth

Buildots, an award-winning AI construction software company, has announced a $15 million investment led by Intel Capital, with participation from OG Tech Partners and previous investors. This funding round, announced on July 11, 2024, also brings Lisa Cohen, Investment Director at Intel Capital, to the Buildots…

Fighting Fire with Fire: The Role of AI in Fighting Instant Payments Fraud

The rapid evolution and global adoption of real-time payment schemes marks a pivotal shift in the global financial ecosystem, improving economies and financial inclusivity…and introducing new opportunities for crime. One unintended benefit of legacy systems that take days or weeks to process transactions is additional time…

Zeb Evans, Founder & CEO of ClickUp – Interview Series

Zeb Evans is a serial entrepreneur and the CEO and Founder of ClickUp, an all-in-one productivity platform that works as an ideal place for teams to come together, brainstorm, plan, and collaborate on everything from process docs to product designs. You’ve stated that since you were…

Anger Foot Review – An Adrenaline-Packed Foot Race – Game Informer

Anger Foot Review – An Adrenaline-Packed Foot Race – Game Informer

Anger Foot exemplifies a simple idea executed to the ninth degree. As a furious sneakerhead possessing seemingly the deadliest legs in the world, you must retrieve your prized collection of stolen footwear by kicking everything in sight. The bombast accompanying this wacky premise – fast-paced, split-second action, satisfying gunplay, and delectable destructibility – turns Anger Foot from a one-kick pony into one of the year’s most exciting, challenging, and tough-to-put-down adrenaline rushes.

Taking place on the seedy streets of Crime City, where crime is not only encouraged but is a way of life, you’ll plow through four gangs and their leaders across dozens of levels to retrieve your pilfered sneakers. Initially, your bare foot is your best and only weapon, as kicking sends the litany of armed goons flying, showcasing the satisfying (and, sometimes, hilariously broken) ragdoll physics. This first-person action game’s frantic yet thoughtful pace is delightfully reminiscent of Hotline Miami and Doom. At best, you can complete the small, densely packed stages in under a minute, and success means quickly and strategically taking out deviously placed foes before they can off you. 

[embedded content]

Since only one or two hits kill players, fast reaction timing and, for better or worse, trial-and-error win the day. Levels can border on being labyrinthine with enemies hiding in blind spots or lurking behind doors, and you won’t discover their presence until their bullet enters your skull. Some deaths feel cheap due to sometimes questionable enemy placement that makes taking damage seem unavoidable in spots. Other times, you’re a victim of physics; a grenade that misses the first time may bounce off something and unexpectedly land at your feet the second time. Dying means starting the stage anew, and while that stings after a good run, instant respawns hasten the process of repeatedly running through levels and absorbing their layouts. 

Kicking foes feels great, but Anger Foot also encourages strategic use of the environment and your opponents, such as kicking doors into distant targets or sending exploding enemies careening into their allies. Wielding firearms, such as handguns and shotguns, plus more exotic fare like crossbows that impale multiple foes and flamethrowers, adds a complementary ranged aspect to the melee-focused action. Gunplay feels awesome, and you can even throw empty weapons to stun targets, providing perfect setups for a kick. I also enjoy how the various enemy types encourage me to change tactics on the fly, such as shield-bearing foes blocking gunfire or speedy, knife-wielding mice focusing on relentless swarming. The multi-stage boss fights are enjoyable (and absurd) but don’t compare to the thrill of blasting through the standard levels. 

When Anger Foot is firing on all cylinders, which is often, it’s a gleefully chaotic execution of skill and resourcefulness. I love slipping into the flow state of running into rooms, rapidly taking out adversaries, grabbing their guns, lobbing depleted firearms to stun other targets, and kicking everything in sight. A mindless approach can work, but more often, it pays to have an ideal order of operations for eliminating threats and pinpointing every environmental advantage. Copius destructibility means encounters often devolve into a parade of exploding rubble, splintered wood, and shattered glass that leaves rooms looking like a tornado plowed through them. This element can be advantageous; why pick off goons perched atop scaffolding when shooting an explosive barrel sends the entire structure tumbling down? Though the framerate occasionally dips when the action overindulges in explosions and enemy mobs, it runs smooth as butter otherwise. 

Anger Foot regularly introduces new ideas and mechanics to keep the gameplay and challenge fresh. Highlights include hopping across and dodging trains in a subway and kicking across rooftops while avoiding a sniper’s laser sight. I always looked forward to seeing what a level had in store and was often surprised and enthusiastic to tackle whatever obstacle developer Free Lives concocted. 

Completing stages and optional objectives, such as finishing it under a time limit or taking no damage, rewards up to three stars spent toward unlocking ability-granting sneakers. You can only wear one pair of these special shoes at a time, and they add fun wrinkles to the action. Some provide helpful perks, like a shoe that grants an extra life or one that causes doors to explode when kicked. Other shoes function like silly cheat codes, like a pair that reduces gravity, meaning everything, yourself included, floats. One useful shoe gives enemies comedically large heads, making them easier targets for headshots. Shoes can be potent game changers, providing a strong hook to replay stages and complete supplementary tasks to unlock them all. 

Defeat can be a bitter pill in Anger Foot, but I was amazed at how eager I remained to jump back in time after time. Firefights remained an exciting challenge even if I’d played it numerous times. Thwarting foes milliseconds before they pull the trigger, either by brute force or cleverly utilizing my surroundings, never ceased to feel cool. You should definitely walk a mile in these shoes.

How AI is revolutionising game design and player experiences

Artifiсiаl intelligenсe is trаnsforming numerous inԁustries, аnԁ the gаming inԁustry is no exсeрtion. From ԁeveloрing soрhistiсаteԁ gаme meсhаniсs to enhаnсing рlаyer exрerienсes, AI’s influenсe is inсreаsingly рervаsive. This аrtiсle exрlores how AI is revolutionising gаme ԁesign аnԁ рlаyer exрerienсes аt а rарiԁ расe. The role of…

Tech executives confident in AI skills, but adoption barriers persist

While executives express high confidence in their organisations’ AI capabilities, they simultaneously acknowledge significant barriers to further adoption. Research from Zartis found that 85% of UK tech executives rate their existing workforce’s combined AI knowledge and expertise as ‘skilled’, with over half (51%) considering it ‘highly…

PC market finds new momentum amid AI interest

The global PC market is showing solid signs of recovery, with Apple leading the charge among significant manufacturers. According to the latest data from International Data Corporation (IDC), the traditional PC market experienced a 3% year-over-year (YoY) growth in the second quarter of 2024, marking its second consecutive…

5 CISO trends to keep up with during July of 2024 – CyberTalk

5 CISO trends to keep up with during July of 2024 – CyberTalk

EXECUTIVE SUMMARY:

What is the word ‘agile’ spelled backwards? CISO. (Just kidding, but it should be)

As we enter July of 2024, contending with the current cyber security landscape demands unprecedented levels of vigilance and strategic agility. This month brings a convergence of developments and challenges with far-reaching implications.

From a high-impact vulnerability in ubiquitous software, to the insidious spread of shadow IT, this article highlights five current cyber security trends that professionals should be attuned to, as to then recalibrate risk management approaches accordingly.

Protect your organization from the latest threats while driving innovation and implementing proactive cyber security mitigation measures.

5 CISO trends, July 2024

1. A critical Outlook vulnerability. Cyber security researchers have discovered a zero-click remote code execution vulnerability that, if exploited, could result in unauthorized access and data breaches.

Now patched by Microsoft, the vulnerability was perceived as “critical” by some researchers, and Microsoft rated it as “important.”

Immediate exploitation of the vulnerability isn’t terribly likely, but it remains a possibility, especially if this vulnerability is combined with another one.

Make sure that you organization updates all Microsoft Outlook and Office applications with the latest patches.

2. Google passkey support for executives. As part of its Advanced Protection Program (APP), Google is adding passkey support, which will better protect higher profile individuals from cyber threats.

Advanced Protection Program users typically have public-facing positions (CEOs, COOs, CTOs) or engage in controversial work (lawyers, journalists, human rights advocates).

“Security keys are super-duper strong. They are an un-phishable factor,” said Google’s APP project manager, Shuvo Chatterjee.

Organizations may wish to ensure that higher profile stakeholders leverage passkey support.

3. The rise of ‘Shadow SaaS’. In a survey of over 250 global cyber security professionals, nearly 75% admitted to the use of SaaS applications that the IT team had not specifically approved of.

Security professionals took this risk despite knowing the risk – 65% knew of the possibility of data loss, 62% noted lack of visibility and control, and 52% identified data breaches as an inherent risk accompanying the use of unauthorized tools.

Ten percent of cyber security professionals expressed certainty around having experienced an organizational data breach (or data loss) due to the use of shadow SaaS.

There is a clear gap between use of unauthorized tools and risk mitigation capabilities. Ensure that your organization closes this gap.

4. The impossibility of emails. After the emergence of ChatGPT, on a regular basis, phishing emails started to look nearly identical to typical email correspondences. The traditional red flags started to disappear. At this point, that’s old news.

What’s new is that as organizations have continued to send out emails, as organizations are wont to do, recipients have started to question the validity of the emails, as they arguably look like potential phishing emails.

At the end of the day, the issue here is that organizations need email security that both keeps phishing emails out and that users trust to keep their inboxes safe.

5. Fake network traffic. Last year, 18% of all network traffic was either automated or “invalid.” In other words, fraudsters used bots to commit fraud and compromise the security and integrity of websites, among other things.

Artificial intelligence has contributed to the proliferation and persistence of fake network traffic. In effect, AI has enabled bots to closely mimic human behavior, rendering traditional detection methods less effective.

In some cases, these bots aren’t actually harmful, but their presence means that CISOs and security teams have to deal with them – presenting a distraction from more significant cyber security tasks. The sooner that security leaders proactively address this issue, the sooner that everyone can get back to the more important stuff.

Further information

As your organization works to elevate its cyber security posture, turn towards cyber security tools that are AI-powered and cloud-delivered, enabling you to stay ahead of the latest threats.

For more insights like these, click here. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.