TL,DR:
- Infostealer malware silently harvests employee credentials and session cookies from corporate and BYOD devices, creating a critical blind spot for security teams.
- Initial Access Brokers weaponize these compromised passwords on the dark web, allowing cybercriminals to easily bypass multi-factor authentication (MFA) and launch devastating ransomware attacks.
- When an infection occurs, security teams must move beyond simply wiping the device by immediately resetting all exposed credentials and session tokens across corporate applications.
- To prevent future breaches, enterprises should implement a Post-Infection Remediation (PIR) strategy that leverages dark web monitoring to proactively identify and neutralize stolen identity data.
While security teams and company leaders focus much of their attention on the mitigation of ransomware, infostealer malware – the quiet precursor – slips through the cracks.
Infostealer infections are often notoriously difficult to identify and seem to have no immediate consequences.
Cybercriminals use the information siphoned from exposed devices to carry out attacks, making proper malware remediation essential for a robust security strategy.
What’s worse, as enterprises deploy innovative solutions and tactics to prevent infection, companies with work-from-home policies and employees using BYOD or personal devices to access corporate applications often create new malware opportunities.
To combat this silent threat, enterprises need a new, more comprehensive malware remediation process that accounts for dark web activity and provides more visibility into often unknown and ephemeral malware infections.
The evolving malware landscape
One reason malware is difficult to detect is that there are very few indicators when infostealer malware compromises a device.
In a matter of seconds, the employee’s credentials and session cookies are in cybercriminals’ hands.
Likewise, popular infostealers like RedLine Stealer malware are often deployed through phishing emails, links in social media comments, malvertising, or malicious YouTube “tutorials.” If an unaware employee downloads the malware, bad actors have free reign to use the stolen credentials and data to impersonate the user, decreasing the odds that they will be identified as suspicious.
The sophistication of modern malware
While existing antivirus software offers protection against well-known types of malware, newer variations, such as Redline Stealer, Raccoon or Vidar are much more difficult to detect. Coupled with evolving botnet delivery methods that can evade detection and the fact that many malware infections occur outside of traditional, secure parameters, it’s no surprise companies are struggling to address the threat.
Another crucial aspect to consider is the ongoing threat of exposed data. Traditionally, wiping known malware from the infected device is the most common remediation approach, but it fails to address the already-siphoned information now in the hands of Initial Access Brokers (IABs).
IABs are individuals or groups who package malware-stolen data and sell it on the darkweb. Cybercriminals buy this freshly stolen data and are granted all the information needed for initial network access, making it easy to bypass industry-standard prevention methods like multi-factor authentication (MFA) and deploy ransomware.
The impact of stolen data
As if that wasn’t enough, data sold by IABs is valuable as long as it has not been reset.
A recent rise of IABs illustrates the underlying factor driving the increasing frequency of malware attacks – a thriving underground economy that weaponizes and monetizes network access.
Current cybersecurity measures are unable to close the gaps that lead to initial malware infections and fail to account for the fallout after a device has been compromised. While endpoint detection and application security monitoring are being used as temporary solutions, it’s not enough.
Comprehensive malware remediation strategies
While employee education is the essential first step for a robust security defense, everyone makes mistakes. With the increasing frequency of malware attacks, it’s getting harder and harder to entirely avoid infection. Instead, leaders should proactively mitigate the threat with a Post-Infection Remediation (PIR) approach.
PIR is a series of steps woven within standard malware infection responses that aims to address the lasting threat of exposed data.
The approach works like this: once the Security Operations Center (SOC) has identified an infected device, the IT team takes the standard first step of clearing the infected device. Enterprises in parallel use dark web monitoring tools and human intelligence (HUMINT) teams to scan the underground for stolen information. The solutions and teams find the user data and trace it back to the initially compromised asset.
Once armed with this knowledge, SOCs begin remediating all compromised credentials and applications impacted by the attack. This can include third-party workforce applications such as Single Sign-On (SSO), code repositories, payroll systems, VPNs, or remote access portals. If all exposed data is reset, it’s unlikely a full-blown ransomware attack will occur.
By going straight to the source of the threat – the dark web – SOCs gain insight into all exposed devices and applications. SOCs may not monitor personal devices, but if the stolen data is linked to said device, teams can act to remediate these previously unseen entry points, better protecting the organization and the user.
The steps that make up a more comprehensive malware remediation process.
PIR is more comprehensive than legacy, machine-centric malware response processes. Where these methods emphasize device remediation and neglect to consider user identity, PIR takes a more identity-centric approach, considering the personally identifiable information (PII) at risk.
Using this approach, leaders and executives can equip themselves for future success against evolving malware practices. Regardless of whether infected devices are being monitored, IT teams will have full visibility into the scope of the threat, significantly shortening the exposure window for ransomware and other critical threats while closing previously unseen security gaps.
Note: A version of this article was originally published as a contributed article in the 2023 RSA Special Edition of the Cyber Defense Magazine.
Start taking malware threats to your business seriously
Keep reading
