Three Steps to Success
You probably clicked on this article because you thought I was going to provide some career advice or some way to reach your personal goals this year, but I'll apologize now - this article outlines three steps to success for the malicious actor. Hopefully, after I explain how they are achieving this success, you can better protect yourself from an attacker who is using these steps.
This year has been an interesting one for me. I have seen an ever-increasing number of info-stealers targeting specific geographical markets, and in particular, one vertical that exists in that market. But I'm sure the success of these attacks will lead to a spread outside of this vertical.
What's the Vertical?
Honestly, I'd prefer not to dive too deeply into this subject matter as I don't want to raise awareness further around their weak security state and make them an even higher priority target. Needless to say, if it can happen to them, it can happen to anyone.
Step 1, Where it All Begins.
The info-stealer has become a more valuable starting point for a lot of attackers. Ransomware used to be that starting point, but as people start to find stronger ways of combating this and potentially not wanting to pay, it's just too risky (from a profitability standpoint for the malicious actor) to start here.
So Why Info-Stealer?
Your data has more value outside of your organization than in your organization. Social security numbers, routing and bank account information, intellectual property, and, most important to the next stage of success (for the malicious actor), your passwords. More specifically, your IT security team’s passwords.
Why Are Their Passwords So Important?
Well, there are a couple of reasons for this, but from the malicious actor's point of view, it lets them keep abreast of internal awareness of the info-stealers presence. How would they do this? The passwords I was speaking of are your email passwords or various other communication methods (think instant messaging programs). They would monitor your email and other communication methods for specific phrases or terms related to their attack. If the info-stealer’s presence should be uncovered, the malicious actor would probably skip the next step and move directly to Step 3.
Step 2, Drill Baby Drill.
With the increased market awareness around the value of a cryptographic currency (although the cost is under a normalizing period), utilizing system resources and free power (at least to the malicious actor) for mining is still a profitable business. The only reason most people notice this step is the increased network traffic and the over-taxation of a machine's resources.
Step 3, Scorched Earth.
Once the info-stealer/miner is discovered, this is typically when the malicious actor moves on to Step 3 - the ransomware delivery, or as I like to call it, the scorched earth approach. The term "scorched earth" comes from a military practice where you destroy everything of value in a specific area. Ransomware accomplishes this task. If you don't pay the ransom, your data could be permanently damaged or lost.
The Value of the Three-Step System (to the Malicious Actor at Least).
This three-step system ensures some value comes out of an attack campaign. From the malicious actor's point of view, why do the work if they can't make any money out of it? By following these steps, there is financial value to be gained from each step as well as the ability to do some reconnaissance.
How Can I Protect Myself and My Corporation?
Let's revisit each step and review how a basic security strategy can help.
In Step 1, the attackers were targeting specific types of data that they can sell and perform their reconnaissance. To combat this:
- A reliable antivirus (AV) should be able to stop the spread and quarantine these info-stealers.
- A corporation should also leverage multifactor authentication (2FA) to further protect services like email and other forms of communication.
- Finally, a corporation should have an alternative form of communication that is used post-data-breach (alternative emails, etc.) where the attackers may have compromised your existing forms of communication. I like Protonmail because of its built-in security.
- Something else to note: if you start seeing messages coming in and they are already marked as Read (rookie mistake by the attackers if they don't make sure they re-label them as Unread) this is another sign that something is wrong.
Step 2 is a little more noticeable:
- If you discover a significant increase in network traffic or users start to complain that their systems are slowing down (more than usual as I'm sure you already get this on a daily basis) don't ignore this. These are all signs that something is not correct.
Step 3 is the most noticeable of all, the ransomware attack:
- Have a reliable antivirus solution in place and have a contingency plan to handle these sorts of attacks.
- The method used should contain robust data backup policies combined with pre-signed agreements with a reputable IR company (to expedite the containment process).
- Finally, DON'T PAY the attackers. If you are experiencing a ransomware attack, one of the worse things you can do is pay the criminals responsible. Listen, there is no honor among thieves. If you pay them, they will talk with other malicious groups and possibly come back for a second round of extortion (or the people they tell will).
Where Do We Go from Here?
The point of this article is to shed light on trends in the cybersecurity community. Understanding the motivations and goals of an attacker can only help you strengthen your security standing and find better strategies for protecting your company.