CyberWire Daily - Infostealer Malware 101: mitigating risks and strengthening defenses against this insidious threat. [CyberWire-X]
Episode Date: July 23, 2023With the relentless advancements in technology and a workforce more digitally-enabled than ever before, businesses today face an unprecedented challenge of protecting their sensitive information from ...cybercriminals. Infostealer malware, often disguised as innocuous files or hidden within legitimate-looking emails, stealthily infiltrate employee and contractor devices – managed and unmanaged – exfiltrating all manner of data for the purposes of executing follow-on attacks including ransomware. The data at risk includes customer details, financial information, intellectual property, and R&D plans stolen from compromised applications that were accessed from infostealer-exfiltrated authentication data like credentials and active session cookies/tokens. This episode digs into the proliferation of infostealers and provides actionable steps for businesses of any size or industry to mitigate the threat. In this episode of CyberWire-X, N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten to discuss the early days of incident response and the current thinking of post-infection remediation (PIR) actions. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor SpyCloud’s Director of Security Research, Trevor Hilligoss. They chat about the challenges for enterprises and security leaders to identify what was stolen from malware-infected devices and how proper post-infection remediation implemented into existing incident response workflows can help prevent this data from causing ransomware. Trevor shares highlights from an industry report of over 300+ security leaders from North America and the UK on where they stand on malware identification and remediation, and what additional work can be done to minimize cybercriminals' access and impact. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, N2K's Chief Security Officer and the Cyber Wire's Chief Analyst and Senior Fellow.
Today, Dave Bittner, the Senior Producer and Host of many of the Cyber Wire's podcasts,
will be joining me at the Cyber Wire's hash table to discuss post-infection remediation, or PIR.
After the break, you'll first hear my conversation with Rick Doughton,
the CISO for Healthcare Enterprises and Centene,
and then Dave will talk with Trevor Hilligoss,
the Director of Security Research at SpyCloud, the sponsor of this show.
Come right back. SpyCloud disrupts cybercrime by telling you what criminals
know about your business and your customer, so you can take action on exposed authentication data
to prevent ransomware, session hijacking, account takeover, and online fraud.
With knowledge of the specific darknet data criminals have in hand,
like credentials, cookies, and PII,
siphoned from malware-infected devices accessing your network and applications,
security teams have better visibility into the expanding attack surface
that puts their organization at risk from cyberattacks
and can respond quickly
with SpyCloud's automated solutions. Visit spycloud.com slash cyberwire to view SpyCloud's
malware readiness and defense report, a benchmark survey of global security practitioners on how
they combat infostealer malware and are planning for gaps in their post-infection remediation that leave the door open for ransomware attacks. That's spycloud.com slash cyberwire.
And we thank SpyCloud for sponsoring our show.
Incident response has been around as a concept since the late 1980s,
when it practically sprang out of whole cloth from Dr. Clifford Stull,
when he published his Communication of the ACM Journal article called Stalking the Wily Hacker in 1988
and his subsequent Cybersecurity Canon Hall of Fame book, The Cuckoo's Egg,
tracking a spy through the maze
of computer espionage in 1989. While tracking East German hacker mercenaries hired by the Russian
government to break into U.S. academic systems in order to compromise U.S. government systems,
because let's face it, back then there really wasn't anything close to cybersecurity. The
internet was mostly a collection of cans tied together by strings. Dr. Stoll invented incident response, and for the most part,
the practice hasn't really changed much in terms of the big picture. To get some color on that,
I reached out to Rick Doden, an old friend of mine, a regular here at the Cyber Wire hash table,
and fun fact, has been a judge multiple times at the American
Pi Council's annual National Pi Championships. Who knew? But he's also the CISO for Healthcare
Enterprises and Centene, a Fortune 500 company. And in his early days, he managed a commercial
penetration and incident response team. So I started out asking him what it was like in those early days after Dr. Stoll
invented the idea. Yeah, I originally ran ethical hacking teams in the late 90s and the early 2000s.
And then we realized that we needed to respond to incidents that our customers had. And so we put
together one of the first forensics retainers on being able to do that. I mean, obviously, we weren't the first, but our peers at 2000, 2001, all were doing the same thing.
It's a niche thing.
Not a lot of people do this.
And even in the executive group, very few CISOs came up through the incident response.
You and I have talked about over the last decade, that the defense industrial
base, this intelligence response was a very common thing that was not in other industries
outside of DC.
And so we had to educate folks 10, 13 years ago in other industries, including the financial
industry, about, hey, don't just like what industries, including the financial industry about, hey,
don't just like what happened, how did it happen, make it stop, make sure it doesn't
happen again.
There's a whole bunch of little things in between that we want to learn from and do
to, you know, enrich that.
In cybersecurity, you know, I always say that a pen tester and an inter-responder are two
sides of the same coin.
And so we found the pen testers made really good
incident responders because they're digging through and looking for things to be able to say
what happened, how did it happen. That's a really interesting insight because as a pen tester,
it's more offensive oriented. So you have that perspective. But then if you're going to turn
around to be an incident responder, you know how the offensive guy's team did it. And so you're
looking for things, right, on the defensive side that you can shore up. I had not really put that
together. And you would think I would have done that by now. Well, it's also the personality of
being able to thrive in chaos, failing quickly, doing multiple things at once. These are things
that both sides do really well, as opposed to like a pure play forensics person
who is very single-threaded, doing things very meticulously for maintaining chain of custody,
or much slower in their process and don't want to fail because I got to get this image correct
because I only have one shot at it. And so the forensics piece of the actual acquisition is
very different, but inter-response is exactly as described. It so the forensics piece of the actual acquisition is very different.
But inter-response is exactly as described. It's the opposite of pen testing.
Well, and there's all kinds of phases to incident response too, right? Besides just
stopping the pain, okay, there are lots of things you have to do inside the company in terms of
managing crisis and deciding if it's serious and deciding if it's not,
how far you need to escalate it at the company, doing a public announcement.
And we're not even talking about all that.
We're really just, in this discussion, we're just talking about the technical things that you need to get done.
And I was really intrigued with something you said when we were discussing this before we came on the air, Rick, that most small, medium-sized organizations don't have the resources to do a full-out incident response action plan.
Most people just want to stop the pain and get them out.
Yeah.
I say all the time is, remember, there's the Fortune 500 and 5 million other companies.
So it's a 0.00001% one percent have resources money and people and most
don't when i was a virtual cso for five years that thing that i found most lacking in all my customers
around the world is no incident response program you know they had boxes that were lighting up when
things happened they had things that were supposed to protection detections but if something happened
a they weren't alerted and, they didn't know what to do
because there was no plan and there were no people. So I think that's the thing that
the most organizations don't have that. They just expect the technology to protect them
and detect if something's wrong and tell them what to do about it and not this whole formulated
thing that you described of there's communication,
there's maybe legal involved,
there's people involved,
there's data protection and privacy things involved,
there's business resiliency things involved,
that it's not just a what happened
and make it stop.
Or even for startups, small and medium-sized companies,
stop the pain, yes, yes, yes, all that and more.
But there might be some things you want to do after it's all over.
And they're called post-infection remediation, which is a fancy name,
for things you need to do after the pain has stopped and you're trying to recover from all this.
And one of them was remove the malware if possible.
I wonder if you could talk about that because that seems to be a problem,
not even for smaller companies,
but for, I don't know, even Fortune 500 companies.
That malware seems to find its home somewhere
that no one has located before.
Yeah, I mean, in the last 10 years,
we've had much more persistent adversaries
who want to maintain this persistence.
And so it's not just a, here's a file that's known
to be bad and your antivirus catches it and quarantines it, but it is a multi, sometimes
multi-stage process. There might be a PDF that is completely benign until you open it and it
launches an executable, which then installs some registry entries to put some hooks in, opens up a listener
for a command and control channel, and then goes and tries to mail itself or propagate itself across
the domain to other systems. And so when you find that this one patient is infected and you say,
oh, okay, I delete this badware.exe, but I didn't delete the PDF
from which it was spawned and I didn't know it entered, you know, four registry entries and I
didn't know it opened a port as a listener and I didn't know that it also tried to propagate itself.
So that's why I think it's prudent to say, if possible. That's one of the things that
the early, before EDR was in EDR, there was,
I guess Carbon Black still exists, but the very first iteration of Carbon Black,
I used to love that because it would give me this whole life cycle of this is the PDF,
this is what was launched, this was created, this is the things. And I can use that as a
recipe to take all of that out at one time. And then search across all my other devices to,
is this registry entry anywhere else?
Is this listener, this port open that shouldn't be anywhere else?
Is this executable or PDF open anywhere else?
The example I always go to for these kinds of discussions
is the OPM breach from a number of years ago.
The IT staff didn't even notice that the Chinese were
in their networks for a year. But when they finally noticed, they assumed they were in that one spot
where they noticed the effort, right? They didn't understand that it was rampant through their
organization. And then when they finally brought in a third-party contractor who did the analysis
and found it all and got rid of almost everything. They missed one
version of it that ran on a, you know, a remote Linux box. And so it was still inside their
network. So what's the advice that you give to these kind of small, medium companies who don't
have the resources to track that kind of thing down? Right. You have to hire help. I mean,
unless you have a good person. Now, you also have the advantage
that it's a small infant footprint.
You know, 99.9% of organizations in the US,
as you kind of pointed out,
are less than 500 people.
They're small footprints.
They're also, today, mostly work from home,
so you're not on this broadcast domain
that it's easier to verse
because everyone's somewhere else,
particularly in these smaller companies
that are completely cloud-native.
But that's a very common thing to miss
that in that description I just said,
that, oh, and one of those actions was,
who are the domain admins?
And let me go to domain controller,
let me pass the hash and get the admin password,
create my own backdoor,
my own domain admin on the domain that nobody even
noticed and maintain persistence that way. So I clean up everything, but they already have a
backdoor because they have a domain account sitting there. So very, very common. So all of the
inter-responders are kind of trained now to be very, very comprehensive. But back to your question,
what do small companies do? You hire people who do this for a living. One of the advice I've given people before was,
a virtual CISO is kind of like having outside counsel. A small company can't pay for an
inside general counsel, so they have them outside. And it's the same kind of thing with security.
Well, I mean, there's a whole list of things you probably could do, but I agree with you,
Rick, especially if you're a small to medium-sized company. Maybe you might purchase insurance so
that you can pay for this kind of thing when it happens. Maybe that's the way you do it,
or just bite the bullet when it does happen, just to make sure that you can be safe going forward.
You did this for a long time. What was the go-to move after you
guys remediated the initial problem? What did you tell your clients to do most of the time?
Well, learn from this, you know, because usually when we went in and fixed something,
it was, we found a whole bunch of other things like, you know, this happened because this wasn't
turned on or you realize you have a different version of X, Y, Z across all this. And you know,
you don't have this on all these devices. So it's the learning what to do to improve it to
make sure it doesn't happen again in the short term is, you know, here's all this stuff as an
opportunity because we just had this event. You now have the attention to maybe get some money
to fix the things that you've probably been asking for forever, but now it's been realized.
Well, good stuff, Rick. Thanks for coming on and explaining this. I really appreciate it.
All right. Thank you very much for having me.
Next up is Dave Bittner's conversation with Trevor Hillegoss,
the Director of Security Research at SpyCloud, our show's sponsor. So today we are talking about InfoStealers.
Can you give us a little bit of the background and, I don't know, the lay of the land and history of what brought us to where we are today when it comes to InfoStealers?
Oh boy, how much time do you have?
There's been a lot.
Yeah, so InfoStealers as a type of malware are not new.
They've been around for, I think we're coming on a decade-ish.
Depends on what you count as, I guess, patient zero.
You know, InfoStealers, I like to joke, folks in security, I guess I'll speak for myself, unimaginative in our naming convention.
So, you know, InfoStealers are pretty descriptive.
But we're basically talking about a type of malware whose entire purpose of existing is to steal information from an infected host, right?
So generally speaking, and this has changed depending on when you look at it in time, generally speaking, non-persistent malware. So, you know, stealthy, delivered to a host,
executed, performs its, you know, stealing functions, which vary from malware to malware.
And then Exel traits that data off to a place that the attacker can access it and use it for
a variety of purposes. Typically, we're talking fraud, some kind of monetization, but really it runs the gambit.
Everything from ransomware to espionage type stuff to just good old data theft post on carding sites.
So yeah, it's a broad spectrum of nasty stuff.
Can we go through the InfoStealer lifecycle?
I mean, how does one typically find oneself falling victim to this?
And what's the process by which it does its business? You know, generally speaking, if we're
talking about attack vectors, what we see, and just to kind of clarify, when I talk about, you know,
observation, stuff like that, my insight into this comes mainly from the post-exfiltration.
So we're looking at the data that's actually stolen by these InfoStealers,
not necessarily looking at doing reverse engineering of any binaries,
although we have done that.
I often find that it's more interesting, or it can be more interesting,
to look at the proceeds of this type of malware,
especially for questions about what the intent is.
But the general attack delivery,
at least the most successful,
tends to be some kind of ruse.
So we've seen everything from using
some kind of AdSense.
Maybe they're going to post an ad on Google
describing something as a popular messaging app,
say like Signal or Telegram,
or you pick your app.
And that directs you to a website
that's carefully crafted to look like or be believable enough to be the real thing. But in
fact, what you get is a red line or raccoon or another info sealer. That tends to be common.
It also tends to be fairly short-lived, right? Google's pretty good at catching those things.
But if you think about it, the amount of eyeballs on the internet these days,
an ad doesn't have to be live for too long for it to get quite a few clicks.
Similarly, we also see,
and this is, I guess, kind of a recent change,
at least the past couple of years,
we've seen this spike up,
but using things like compromised YouTube channels.
So, you know, hackers will essentially take over
someone's popular YouTube channel and then use that
and its built-in fan base
to spread an info stealer quite broadly. But one of the biggest links between all of these,
quite honestly, is the use of social media and socially relevant things. So games,
cracked software, all of that stuff tends to be the dealer's choice of these malware operators
that are running these schemes.
And how do you assess the technical sophistication of these packages? Are we talking about sophisticated things or is this the entry level for folks who are out there developing malware?
So that's actually a really good question, Dave. One of the really interesting things about InfoStealers is a lot of these operate as what we call malware as a service. So how I like to describe this is, you know, we're all kind of familiar with sort of like managed software, right? So think about like, you know, Adobe Photoshop. You subscribe to a monthly subscription, maybe it's a yearly subscription. It gets you access to the software. You get support that comes with it. So if something goes wrong, you can contact Adobe. They'll help you out. There's other things that are sort of packaged up in that one subscription deal. create this malware, they will publish it on criminal forums online, and then market that to
other criminals who typically pay either weekly or monthly subscription fees. And those can range
anywhere from $50 up to $200. I think the highest I've seen was like $250 paid in crypto, obviously.
But then that allows that user who might not be very sophisticated, maybe they
couldn't have created that malware on their own, but because they were able to pay that money to
the person that did create it, now they're able to have this malware that they can deploy. And
then they can reap the proceeds from it. So it's almost like a distributed method of criminality.
It doesn't, we talk about sophistication, typically we're talking about like nation-state actors,
and those are like the very sophisticated. But what's kind of crazy about the InfoStealers and the malware and those skills and then craft your own relatively low sophistication ruse and still be able to victimize a massive amount of people.
Help me understand what the specific concern here is for the corporate cybersecurity professional? I mean, are info stealers targeting individuals
and the corporation gets infiltrated as a side effect, or are they targeting companies as well?
Yeah, so I don't know who said this quote originally, so I'm probably going to steal it from somebody.
But there's this mechanics quote. It goes something like, 90% of the problems in a car are between the driver's seat and the steering wheel.
I think you could apply that very easily to IT.
In terms of, do these info stealers target companies?
I'm not going to say no.
I'm sure there are criminals out there that are definitely targeting specific companies, but oftentimes it
really seems like more of a spray and pray methodology, right? We're going to infect the
maximum number of victims that we possibly can. And then in sorting through, you know, the proceeds
of those infections, we'll find a gem. And that gem might be if you're an initial access broker,
maybe it's some Fortune 500, Fortune 1000 company that you're going to be able to
sell that access to a ransomware affiliate that can then infect that company or exfiltrate data
and charge a ransom. It could be on the lower level, somebody that's interested in carding
or identity theft. All they're looking for is things that they can sell to other criminals or even use themselves. It could be even more simple than that.
So the real big danger really in all of that is corporations are made up of individuals, right?
So even if something isn't necessarily targeting you as a corporation by name, your employees
being human beings and being online people are
still part of that targeting pool. So if you have a situation where you have maybe unmanaged or
under managed, or you have like bring your own device policies, basically anything that, you
know, allows access to your environment that's not necessarily tightly controlled or monitored,
you're kind of increasing your vulnerabilities to this kind of malware because those employees that are doing things
maybe on their personal device could leak information that does connect back to your
corporate infrastructure and then in turn could turn into a significant event.
What are your recommendations then? I mean, for folks to best protect themselves against this,
what sort of things should they be focused on? Yeah, so we just released a report that in part surveys a bunch
of security professionals asking a lot of questions about how they see InfoStealers,
whether they're worried about them, what their security controls consist of. Alongside that,
my team, my research team, did, our own research on the data.
And we looked at what do we see in these logs and kind of what context can we provide to the
greater survey. And one of the things that was really interesting from that was we found
greater than one fifth of all of the InfoSeal logs. So these are logs, folders, you can think
of them like folders containing a
bunch of files that were stolen from a device. One fifth, so 20% of those logs had an installed
antivirus appliance at the time of execution. So the easy thing would be to say, you know,
make sure your security controls are very good. Make sure you have good antivirus,
make sure it's well updated, make sure you have visibility of your networks, you know,
you decrease bring your own device policies, you monitor things like MFA, and you have good, you know, cookie revocation
policies, all of those things that are great policies in general, none of that is infallible,
right? And I'm not saying don't do that stuff, like, definitely do all of that, please. But,
you know, as a security practitioner, it's really good to do all of those things
and still have a backup plan.
And I would say that backup plan really is visibility.
And it's visibility beyond
what we traditionally consider part of
the sort of digital forensics instant response process.
So we're hyper-focused on devices.
We're really focused on networks
and things like firewall logs and application logs and all these kinds of things. But with InfoStealers especially,
we have this sort of wildcard variable at play that is everything that was taken from that device
that we might not have a record of. If you ask me like, hey, give me a list of all of the accounts
that you have. I mean, I could probably construct like an 80% list, but I don't know all the
accounts that I have, right? Maybe that's just me. Maybe somebody else has a much better awareness
of their online environment. No, I don't think it's just you.
It's hard. I think we all suffer from that. All those legacy accounts that just,
I sometimes call them zombie accounts, because they just hang around and they refuse to die. That's good. Zombie, okay, yeah. Yeah, exactly,
right? There's, I mean, we're so deeply invested in the internet that, you know, our online identity
really has become our identity. You know, IRL has become just RL. And I think, you know, that kind
of situation, it becomes very difficult. So, you know, having that understanding, at least having that understanding, approaching an incident with, I'm going to look at
this device, obviously, I'm going to do a good instant response, you know, forensic-centric
instant response, but also what else could have been stolen? What types of, you know, session tokens
could have been stolen? What are the validity periods of those? What kind of, you know,
maybe there's API tokens, we're talking about like a developer or somebody that has access to that
kind of, you know, internal systems. What other information could be on their intellectual
property? A lot of stealers will actually steal files, you know, full fat files from a desktop or
documents folder. So what was in those files? Is that intellectual property? Is it something that
might be export controlled, right? There's all these other questions that we start asking.
And just having the knowledge and the foresight to ask those questions,
I think is really half the battle. I know you and your colleagues there at SpyCloud,
you have this notion of post-infection remediation. I mean, is that really what we're getting at here?
Yeah, yeah, basically.
So, you know, post-infection remediation,
again, with the names, you know,
we're pretty simple people.
I think it's pretty descriptive.
Gotta break it down for people like me
that used to work for the government.
But it's basically that.
Do all the great instant response things
that, you know, we've all learned from SANS
or whoever else.
We've gone to all these classes and learned these things.
Do those, but also consider outside of the device, especially as we start, or not even start, right?
This is well on its way.
We're very cloud-focused now.
We've got all these different appliances.
We have third-party appliances, security appliances that are out there, SSOs.
Our environment is no longer just a computer or even just a network, right? Our corporate
environment is much larger now. So consider those things and understand things like,
if I have a cookie, an authentication cookie, and it's valid, and I also have some basic device
information like your screen size and your OS type, some of that stuff, I can become you,
right? It's not hard. There's open source tools out there that allow me to essentially emulate
your device and pass that cookie as if I was just hitting F12 and refreshing the page.
And so in that kind of a situation, you can have the best multi-factor authentication in the world.
If I can do that, and maybe I can exit from, you know, I get a residential proxy in one of your neighbors down the street, or even you specifically, right, your
own router, I can look basically identical. And so it's very difficult to control for that. So
PIR is basically, let's summarize all of that, bring ourselves, you know, expand your consciousness.
It's like that, you know, big
brain meme, right? Expand your consciousness beyond just this device and think about all the other
pieces of information that we create either intentionally or unintentionally and are still
out there in the environment that we need to control for. As you're out and about, you know,
working with folks on this problem, to what degree are they self-aware?
I mean, are people accurate and up to date on the reality of their vulnerability to this?
Or are people whistling past the graveyard?
I like that, whistling past the graveyard.
I think security, I'll speak for myself, I have a tendency
to be overly pessimistic. We have an amazing amount of experience and knowledge and, you know,
there is a lot of awareness. Now, is that enough? I don't know the answer to that question
necessarily. I think, you know, going back to the survey that we did, we had a lot of respondents say
that they were concerned about this and that they're, you know, they're at least cognizant.
I think one of the statistics was like 98%, I want to say, they would want better visibility
into at-risk appliances.
So that tells me that people are at least aware of what they don't know, you know,
knowledgeable that they need to close that gap as much as possible. But when you get into the
specifics, especially about InfoStealer malware, because it is very niche, right? This is something
that not everybody has dedicated their life to this. Like I have, I don't recommend that. In fact,
you should have a hobby. But you know, something that, you know, specific something that specific, that is much more niche.
And so that's why I see what I like doing is what you're offering me today, a platform to come on
and talk about this. Because I'm not saying you're going to listen to this podcast and become an
expert on InfoSealers. But hopefully, some of the things that I've said have hit a nerve. And maybe
if you were part of that 98% that said, yeah, we want to know more, maybe one of these things that I said
has kind of keyed into that
and given you a question to ask
or a bit of information to go after.
So that's kind of what I would say
in terms of like general knowledge
and how do we spread the message.
I think it's just kind of being repetitive
and saying the same things
and highlighting what I see
and some of my peers see
as significant vulnerabilities
and things that are precursors, things like ransomware, and then raising the visibility kind of writ large.
We'd like to thank Rick Doughton, the CISO for Healthcare Enterprises and Centene,
and Trevor Hillegoss, the Director of Security Research at SpyCloud,
for helping us get our arms around the idea of post-infection remediation.
And we'd like to thank SpyCloud for sponsoring the show.
This has been a production of the CyberWire and N2K.
And we feel privileged that podcasts like CyberWireX
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at n2k.com.
Our senior producer is Jennifer Iben. Our sound engineer is Trey Hester.
And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off. Thanks for listening.