REPORT | Infostealers, cyber-centricity and vulnerability exploits

0
103

Boland Lithebe | Security Lead | Accenture Africa | mail me | 


In my previous article, I highlighted that cyber threat intelligence (CTI) offers improved visibility into overall network threats and informs decision-makers how to prioritise security around potential targets and threats.

We have created relevant, timely and actionable threat intelligence for more than 20 years. We continually investigate numerous cases of financially motivated targeting and suspected cyber espionage.

During these investigations, our threat intelligence and incident response analysts have gained first-hand visibility into the tactics, techniques and procedures (TTPs) employed by some of the most sophisticated cyber adversaries.

The Cyber Threat Intelligence Report Volume 2 identified five trends affecting the cybersecurity landscape.

Infostealers boost the malware market

There has been an increased popularity of underground endpoint marketplaces that sell compromised login data packages, which continues to pose a substantial threat to organisations across industries and geographies.

Endpoint marketplaces offer an abundance of inexpensive gateways into corporate networks and threaten the majority of medium-to-large corporations.

Compromised endpoints – which underground actors have bundled and sold as so-called ‘bots’ – contain login credentials, sensitive system information and cookie sessions. Actors siphon this information from victims’ machines using credential-stealing malware and sell it on Dark Web marketplaces for as little as US$10 to US$200.

Businesses can address malicious software by protecting corporate and private machines. The latter creates greater exposure for both if synchronising with corporate infrastructure.

Secondly, be aware of the growing ‘bots’ business. Depending on the security posture, these ‘bots’ can grant direct access to affected systems or provide skilled actors with a more accessible way into networks. Stealing an active cookie session makes ‘bots’ significantly more effective than using compromised login credentials alone. As a result, ransomware groups, business email compromise rings, and data extortionists commonly use endpoint marketplaces, with us and other cybersecurity organisations attributing multiple recent attacks to the endpoint market.

Cloud-centricity prompts new attack vectors

Increasingly, threat actors are exploiting public-facing cloud infrastructure to deploy offensive toolsets and use internal access points to organisations’ cloud environments. This threat grows as organisations accelerate cloud adoption and open up new attack vectors.

The COVID-19 pandemic has accelerated the ongoing trend of cloud adoption to enable remote working, online education, business resilience and environmental sustainability, opening up new attack surfaces and increasing the value of cloud infrastructure attacks for malicious actors. This expanding infrastructure opens the door to new vulnerabilities.

Some organisations do not monitor cloud platforms as closely as they do their on-premise servers, which may exacerbate existing cloud asset and configuration management deficiencies. Instead, they are placing their trust in a third-party cloud provider. As a result, threat actors hijack cloud services to exploit cloud infrastructure’s benefits, collect sensitive data and deploy ransomware.

Expanding cloud infrastructure also creates highly scalable and reliable command-and-control infrastructure and botnets. Additionally, public-facing cloud environments serve as initial entry vectors through which threat actors can access individual endpoint devices.

Here are some suggested ways to mitigate the impact of cloud platform threats:

  • Audit and test for cloud misconfigurations alongside organisational operation digitalisation efforts.
  • Adopt an identity and access management framework to monitor and control cloud user access permissions.
  • Establish MFA across cloud access points and monitor virtualisation infrastructure access.

Vulnerability exploits see high volume buying and selling

We have observed enormous growth in the underground market for vulnerability exploits, especially those that enable adversaries to gain unauthorised access to a corporate network. Unauthorised network access is fundamental to successful ransomware operations.

Threat actors have ‘top three’ vulnerabilities they buy and sell, namely, CVE-2021-34473, CVE-2021-20016 and CVE-2021-31206. We analysed these vulnerabilities in the context of the potential impact of successful exploitation and the assessed intentions of the actors seeking to purchase related exploits.

We found that successfully exploiting each of the noted vulnerabilities enables a remote adversary unauthorised access to a victim network and executes arbitrary code on a victim host. Analysis of past activities of actors who sought to purchase exploits indicates the actors are financially motivated and likely intend to use the exploits to facilitate unauthorised network access schemes.

Here are some ways to handle vulnerability exploits:

Robustly defend network access

Measures to help protect an organisation’s network include the implementation of zero-trust principles network security monitoring, such as deploying detection signatures to catch exploitation attempts against a specified environment and alerting on processes that execute from a specified system or web application log directory, strict access controls and endpoint controls.

Block connections from the domains, IP addresses, and URLs actively scanned and exploited known vulnerabilities. Block egress and recursive DNS on servers. Also, harden outbound firewall and WAF rules to block these types of calls from your environment.

Get back to security basics

Often, organisations can prevent successful attacks by exercising regularly scheduled patch management programs, conducting an inventory of its environment’s systems and software, and proactively testing existing technologies for weaknesses.

Pairing patch management programs with cyber threat intelligence monitoring of the Dark Net marketplaces can provide context and inform defence postures as tactics when new vulnerabilities emerge.


 



LEAVE A REPLY

Please enter your comment!
Please enter your name here