Security operations · 5 MIN READ · AARON WALTON · JUL 26, 2024 · TAGS: Malware / MDR
TL;DR
This is a summary of what you’ll find in each blog in this series:
- Volume I: Q2 by the numbers. We’ll look at an overview of incidents and which attack types are trending. This is a summary of all the volumes for this quarter.
- Volume II: Attackers advance with AI. In many cases, attackers use AI in place of the skills they don’t have or to augment their existing capabilities. We share examples and insights from attacks we’ve seen against our own customer base.
- Volume III: Malware infection trends. We discuss what types of malware appear to be trending (spoiler alert: it’s Remote Access Trojans [RATs]) and long-time threats that don’t appear to be going away anytime soon.
- Volume IV: Phishing trends. Phishing-as-a-Service (PhaaS) platforms make phishing easy. These services really took off in the last year and a half and show no sign of stopping. We share what these are, how they work, and how they can be counteracted.
- ➡️ Volume V: Latent-risk infostealing malware. Infostealers present a serious risk to businesses. We examine recent notable breaches involving infostealers, highlighting the importance of being able to detect, mitigate, and respond to this form of malware.
Last (but certainly not least) in our Q2 Quarterly Threat Report (QTR) blog series, we dig into infostealing malware.
Infostealing malware (also called “infostealers”) presents a serious risk to organizations, highlighted this quarter by the attacks on the SnowFlake data stores. In case you missed that story, here’s the tl;dr: in May 2024, SnowFlake, a cloud-based data company, notified its customers that it was aware of some suspicious happenings in its environment, but the exact details were unclear. The community also learned of several providers whose SnowFlake data stores were compromised. The initial fear was that the SnowFlake compromise also caused their customers’ accounts to be compromised. However, Google/Mandiant’s incident response team discovered SnowFlake customers were individually targeted, and that a threat actor was specifically buying credentials for access to SnowFlake environments—credentials that other actors obtained using infostealing malware.
Infostealers’ growing popularity
Infostealers have been around for a while, but in the last few years, we’ve watched them grow in popularity among cybercriminals. The main function of an infostealer is to take users’ credentials that are stored on the computer or in the browser and send them to an attacker. In most cases, if the malware is able to run successfully once, it’s done its job—not needing to establish itself to start again.
Unlike other malware, running more than once may be counterproductive: to run again, the malware needs the functionality to start again after the computer is shut down. Many endpoint detection and response (EDR) tools monitor for these startup methods (also known as persistence) and, since malware developers don’t want to alert security teams, they’ll leave out that functionality.
Snowballing
In this series, we talk about infostealers as latent-risk threats. We use this term because these threats aren’t an immediate risk to the environment, but can still pose a future risk. For example, Google/Mandiant’s investigation found a few instances where the attacker leveraged credentials that were stolen in 2020! That is a long time between malware execution and data breach, making it a good example that the theft of credentials can cause damage long after they’re stolen.
As other organizations have pointed out, the targeting of SnowFlake is likely only the tip of the iceberg: the primary reason we heard about these breaches was because an attacker–in an attempt to extort victims–publicly disclosed that they successfully gained access to the data of those organizations. Yet, it’s unknown how many incidents occur silently, going undetected.
Information stealing malware is unfortunately pretty common, comprising 9% of incidents across our customer base in Q2 (29.9% of all malware incidents). Attackers can use infostealers to target both Windows and Apple (macOS) systems, and while some prioritize cryptocurrencies, others specifically target cloud infrastructure credentials.
It’s important to remember that both users and contractors are at risk of having their credentials compromised. All it takes is a user accidentally downloading malware from a malicious source, such as: malicious advertisements for real products, phishing emails to either their business or personal accounts, or pirated software. All of these can lead to malware that can potentially expose an organization’s data.
So while the SnowFlake account breaches were significant, it’s important to remember SnowFlake isn’t the only service at risk of an event like this. Whether they’re administrative credentials for internal platforms, developer credentials, credentials for network access, or anything else, it is important that risk models consider what can happen when these credentials are exposed and plan accordingly.
Building a fortress
The good news: infostealer risks can be mitigated. Mitigation requires organizations to effectively maintain password security, detect credential theft, and respond when they detect infostealing malware. Effective password security includes policies around disabling no-longer needed accounts (like when a contractor ends work), protecting accounts with multi-factor authentication (MFA), and shielding passwords with encrypted password managers. Detecting credential theft requires sufficient endpoint device monitoring and software policies to prevent malicious file execution. Effective security response requires playbooks and procedures to secure accounts and rotate credentials efficiently. These practices can substantially reduce and mitigate the risk of being breached in a similar attack.
In SnowFlake’s case, the company announced that admins can now more easily enforce MFA use for all users and, eventually, SnowFlake will require all human users to employ MFA. These changes are welcome, but many other services, accounts, and providers should take heed. Security controls like MFA go a long way to mitigate material breaches.
That’s a wrap on Q2!
We’re halfway into 2024, but bad actors are showing no signs of slowing down, and we don’t expect them to. Whether they’re sticking with tried and true methods of attack or utilizing AI to build or augment new ways into your environments, the hits started coming (and they won’t stop coming).
Now is the time to double and triple check your current defensive strategies for familiar attacks like infostealers or malware that accounts for BEC or compromised credentials. And you can use what Expel has learned from our SOC already to build out your defenses against attacks built on PhaaS platforms that are gaining popularity, or even to protect against AI used maliciously by hackers.
While there’s unfortunately no end in sight to the creative new ways bad actors are learning to target your people, systems, and clouds, we have good news: when we learn, so do you. It’s why we share these reports–so we can all work together to fight back and prepare for malicious activity, and keep our customers safe together.
We have one more quarterly report for 2024, and then we’ll be sharing our annual threat report. Keep your eyes peeled for both, and we’ll continue to track data, identify patterns, and share insights as they emerge to keep you and your org protected.
Questions about this series or just want to chat? Give us a shout.
About these reports
The trends described in our QTRs are based on incidents our security operations center (SOC) identified through investigations into alerts, email submissions, or threat hunting leads in the second quarter (Q2) of 2024. We analyzed incidents across our customer base, which includes organizations of all sizes, in many industries, and with differing security maturity levels. In the process, we sought patterns and attacker tendencies to help guide strategic decision-making and operational processes for your team.
