By Hendrik De Bruin, Security Engineer, Check Point Software Technologies.

Infostealers…ransomware’s lesser-known cousin

When it comes to malware, ransomware usually steals the limelight, largely because of the direct, devastating impact that ransomware often causes. However, ransomware’s lesser-known cousin, the “infostealer,” is slowly but surely gaining ever-more attention.

Over the last few years, we have noticed a massive increase in the usage of infostealers. In fact, some research suggests as much as 5,900% growth since 2018. Statistics also indicate that during 2023, over 10 million devices were compromised by info stealing malware, reflecting an increase of 643% over the past three years.

An infostealer is a type of malware designed to infiltrate computer systems, not for purposes of data encryption like ransomware or data deletion like “wipers”, but specifically designed to steal sensitive information.

These malicious programs exfiltrate various data, including login credentials, session cookies, financial information, and personally identifiable information (PII). After harvesting and capturing the sensitive information, the infostealer sends it back to remote servers controlled by cyber criminals.

Once cyber criminals obtain the sensitive information, it is sold on the dark web to various nefarious actors, such as “Initial Access Brokers” who use the info to facilitate larger attacks, like ransomware attacks.

Infostealers…And their real-life impact

To showcase the impact that infostealers can have and to reinforce that infostealers deserve more attention, we can look at two recent incidents: a breach reported at Ticketmaster and at a major European bank.

In both cases, malicious actors gained access to information stored at a third-party service provider called Snowflake. Snowflake offers a cloud-based data storage and analytics service, often referred to as “data-as-a-service”.

During these breaches, attackers simply used credentials — which were most likely obtained through infostealers — to access associated Snowflake accounts, leading to the sale of information belonging to more than 550 million Ticketmaster customers on the dark web.

The info was sold by a group known as “ShinyHunters”, a known player in the infostealer business that’s notorious for using legitimate credentials to obtain initial access.

The ShinyHunters group also claims to have information related to 30 million customers and 28 million credit card numbers associated with the breached banking institution.

Although we focus on these two instances here, they reflect two of at least 165 Snowflake customer accounts that were accessed by this specific threat actor using credentials harvested through infostealers.

How can organisations protect themselves?

Although there may have been various security oversights involved with the two aforementioned breaches, I believe the following three factors played the biggest role:

1. Lack of end user email and browser protection – Among cyber criminals, the most popular means of malware delivery are through email and internet downloads. Not having adequate email and browser security allowed for the initial delivery of the malware.

2. Lack of endpoint protection – Endpoint devices were not properly secured against malware such as infostealers, allowing the malware to be deployed on devices.

3. Lack of SaaS security – The absence of additional security controls, such as Multi-Factor Authentication, allowed for easy access using stolen credentials.

Let’s unpack the items listed above to get a better understanding of how each played a role in the mentioned breaches.

Email and browser protection

Infostealers are typically delivered through internet downloads, phishing emails and or other social engineering attacks.

Your first line of defense for the delivery of infostealers lies in the deployment of email security and anti-phishing solutions such as Harmony Email and Collaboration, which will prevent the delivery of phishing emails and emails containing malware.

Further, should a malicious email be delivered containing a malicious link, having adequate browser protection should prevent the browser from accessing the link and malware from being downloaded.

Internet access control and browser security solutions, such as Harmony SASE Internet Access, will prevent the download of malicious files and restrict corporate password re-use on non-corporate websites.

Corporate password re-use and other password best practices

Although passwords should NEVER be used as the only means of authentication, we often still find this to be the case for various organisations and applications. NIST and other similar institutions provide various guidelines and best practices related to passwords. However, it is also important to note that other than corporate password re-use restrictions, none of these password recommendations from NIST or other similar institutions would have really offered protection from infostealers; mainly because infostealers exfiltrate cleartext passwords.

If you still rely on passwords, the following guidelines from NIST may assist you:

• Increase password length – Password length matters more than complexity.
• Avoid corporate password re-use – Ensuring that corporate passwords aren’t re-used for other platforms, such as social media, will keep your corporate credentials and systems protected from external credential breaches.
• Breached password protection – Ensure that attempted password updates do not contain known breached passwords
• Password rotation – Contrary to popular beliefs, the NIST advises against rotating passwords too often and regards 30 to 60 days as too often. Ninety days may be a fair compromise.

Endpoint protection and response

From an endpoint perspective, Endpoint Detection and Response (EDR) remains as one of the primary defenses against malware such as infostealers. EDR solutions typically include both signature-based detection mechanisms as well as behaviour based detection mechanisms, which include analyses of data to detect suspicious activity, such as indicators of compromise (IOCs).

A solution like Check Point’s Harmony Endpoint leverages Check Point’s ThreatCloud; a dynamically updated service based on an innovative global network of threat sensors and organisations that share threat data. It collaboratively fights against modern malware by aggregating and analysing big data telemetry and millions of Indicators of Compromise (IoCs).

Over 50 AI-based engines analyze this data. These engines detect and neutralize novel threats, ensuring that both known and unknown threats are addressed and prevented.

Multi-factor authentication

Most Software as a Service (SaaS) offerings have multi-factor authentication available as a configurable option. If your organisation is making use of SaaS offerings, it is critical that multi-factor authentication is configured. Password authentication alone is NOT adequate and should never be used, especially not on publicly exposed SaaS applications.

Although multi-factor authentication may not have completely eliminated the chances of these breaches occurring, it would have at the very least forced far greater costs and efforts onto the attackers. These efforts would also have to involve additional threat vectors, thereby increasing the probability of detection.

The adoption of cloud services, in combination with the “hybrid workforce” has significantly increased organisations’ attack surfaces, leading to greater exposure, risk and complexities. To overcome this, organisations are looking at adopting solutions such as Zero-Trust and SASE.

Zero-Trust

Zero-Trust, at its core, revolves around the idea of NO ACCESS or ZERO ACCESS, unless we can explicitly identify the device, the individual using the device and the security posture associated with both the device and the user. Zero Trust also enforces further concepts such as “least privilege.”

Zero-Trust Network Access (ZTNA) is still often perceived as being a very costly, time consuming and difficult exercise. However, modern solutions, such as Secure Access Service Edge (SASE), really simplify the implementation of Zero Trust.

In this specific instance, SASE with Secure Internet Browsing would have prevented the download of malware or infostealers from the internet.

The deployment of SASE would also allow organisations to further secure their SaaS applications by enforcing IP address based access restrictions on the SaaS application itself.

This will ensure access to the SaaS application ONLY if the device adheres to corporate security posture restrictions and your identity have the appropriate permissions.

In Conclusion

The threat posed by infostealers deserves the same attention as that posed by ransomware, and perhaps even more so, as infostealers often serve as enablers for much larger cyber attacks and breaches.

In the past, we have observed credentials obtained from infostealers being used for initial access during other malicious activities. These stolen credentials open a broader exploitation landscape, which could include personal accounts, corporate accounts, and even infrastructure access through VPNs and cloud management interfaces.

Protection from the risks posed by infostealers require a holistic approach, bringing us back to “good ole” “defense-in-depth”.

First, prevent the initial delivery of infostealers by protecting end users from malicious emails, websites and malware via email and internet access security controls.

Secondly, should email and internet access security controls fail, having an endpoint detection and response solution deployed should prevent the infostealer from being installed on devices and/or prevent credentials from being exfiltrated.

Other controls, such as Zero-Trust frameworks and SASE, further support the concept of defense in depth by preventing access; even with adequate credentials should other factors such as geo-location, device posture and so forth not check out.

Professional services, such as penetration testing, external attack surface assessments and continuous threat exposure management can also assist in reducing the risk posed by infostealers, as they can highlight weak security controls, such as password-only authentication.

For more insights from Hendrik de Bruin, please see CyberTalk.org’s past coverage. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.