Darknet Exposure Trends: Threat of Infostealer Malware Surges
When approaching cybersecurity practitioners about the impact of malware infections in the mid-2010s, I was commonly met with some level of indifference. At the time, malware didn’t seem to be more than a blip on the radar, and I commonly heard things like, “we see very few infections, and if we do spot one, it’s a relatively simple process to reimage the device and clear the infection.” Or, “we don’t allow BYOD, and our corporate devices are locked down, so malware is not a concern.” Enterprises seemed to largely be saying they were more concerned about implementing multi-factor authentication (MFA) or migrating to the cloud.
But let’s fast-forward a few years…
Malware rears its ugly head
Last year there were over 5.5 billion malware attacks. So today, the malware conversation looks notably different.
In a post-COVID era where remote and hybrid work reigns supreme, many employees access work applications from anywhere. And even though organisations have taken steps to secure their remote workforce, a good percentage still allow poor security practices in exchange for convenience and business continuity. For example, 57% of organisations allow employees to sync browser data between corporate and personal devices, and 36% allow unmanaged or shared devices to access business applications.
Additionally, more than 50% of organisations have employees setting up systems and applications without IT’s consent. Oftentimes, these ‘shadow IT’ apps lack basic security controls, creating even more blindspots and complexity. Unsanctioned applications can unintentionally be host to a treasure trove of sensitive corporate ‘shadow data’ that is created, stored, or shared outside of the security team’s purview.
Together, the widespread use of unmanaged personal devices or under-managed contractor devices, browser syncing, and shadow IT increase both the potential attack surface and the potential payload for cybercriminals when an attack is successfully launched.
Whatever the entry point, a single infostealer malware infection exposes access to an average of 26 business applications according to SpyCloud research; that same study revealed that organisations aren’t confident in their ability to identify application exposures, 36% of organisations don’t reset exposed application passwords, and more than a quarter don’t even review application logs for signs of compromise.
How infostealer malware delivers authentication data straight into cybercriminals’ hands
Let’s back up to discuss how malware-infected devices create a direct path into an organisation. Infostealer malware exfiltrates valid identity data like login credentials to target URLs, along with authentication cookies/tokens and even passkeys. Attackers can then use this data to impersonate employees through their access and carry out cybercrimes including account takeover, session hijacking, and ransomware attacks. Nearly half the darknet-exposed data that SpyCloud recaptured last year came from botnets (a common method for deploying infostealers) – and this trend is growing rapidly.
The good news is that security professionals are starting to wake up to the threat of infostealer malware. This year, 99% of those surveyed agreed that their organisation is concerned about malicious actors’ use of malware-exfiltrated data to perpetrate follow-on attacks such as account takeover and ransomware. That’s a 12% jump from just one year prior.
Despite the rising concern, security teams still lack the necessary tools to investigate the impact of these infections and effectively remediate to prevent follow-on attacks. Contrary to popular belief, wiping and reimaging a device doesn’t completely remediate a malware infection anymore because infostealer malware is increasingly “dissolvable,” stealing data and removing itself in seconds, leaving no trace.
It’s crucial that organisations evolve beyond a device-centric malware response framework to an identity-centric one, taking additional steps to reset application passwords and invalidate session cookies/tokens as part of a comprehensive post-infection remediation process.
Learn more about your organizations’ malware exposure at ICE London
SpyCloud gives your team full visibility into infostealer infections – even on unmanaged devices – arming you with the ability to act on stolen authentication data before attackers can use it against you.
Meet the SpyCloud team at Stand L31 during ICE London to check your darknet exposure, including how many cookies and credentials tied to your domain have been exfiltrated from malware-infected devices. You can also catch SpyCloud’s speaking session, Malware Here, There & Everywhere: Top Identity Exposure Trends from the Criminal Underground, at 10:05 am in the Tech Hub on Day 1 to learn more about other critical malware and breach exposure trends and best practices for protecting your organisation.