You probably clicked on this article because you thought I was going to provide some career advice or some way to reach your personal goals this year, but I'll apologize now - this article outlines three steps to success for the malicious actor. Hopefully, after I explain how they are achieving this success, you can better protect yourself from an attacker who is using these steps.
This year has been an interesting one for me. I have seen an ever-increasing number of info-stealers targeting specific geographical markets, and in particular, one vertical that exists in that market. But I'm sure the success of these attacks will lead to a spread outside of this vertical.
Honestly, I'd prefer not to dive too deeply into this subject matter as I don't want to raise awareness further around their weak security state and make them an even higher priority target. Needless to say, if it can happen to them, it can happen to anyone.
The info-stealer has become a more valuable starting point for a lot of attackers. Ransomware used to be that starting point, but as people start to find stronger ways of combating this and potentially not wanting to pay, it's just too risky (from a profitability standpoint for the malicious actor) to start here.
Your data has more value outside of your organization than in your organization. Social security numbers, routing and bank account information, intellectual property, and, most important to the next stage of success (for the malicious actor), your passwords. More specifically, your IT security team’s passwords.
Well, there are a couple of reasons for this, but from the malicious actor's point of view, it lets them keep abreast of internal awareness of the info-stealers presence. How would they do this? The passwords I was speaking of are your email passwords or various other communication methods (think instant messaging programs). They would monitor your email and other communication methods for specific phrases or terms related to their attack. If the info-stealer’s presence should be uncovered, the malicious actor would probably skip the next step and move directly to Step 3.
With the increased market awareness around the value of a cryptographic currency (although the cost is under a normalizing period), utilizing system resources and free power (at least to the malicious actor) for mining is still a profitable business. The only reason most people notice this step is the increased network traffic and the over-taxation of a machine's resources.
Once the info-stealer/miner is discovered, this is typically when the malicious actor moves on to Step 3 - the ransomware delivery, or as I like to call it, the scorched earth approach. The term "scorched earth" comes from a military practice where you destroy everything of value in a specific area. Ransomware accomplishes this task. If you don't pay the ransom, your data could be permanently damaged or lost.
This three-step system ensures some value comes out of an attack campaign. From the malicious actor's point of view, why do the work if they can't make any money out of it? By following these steps, there is financial value to be gained from each step as well as the ability to do some reconnaissance.
Let's revisit each step and review how a basic security strategy can help.
In Step 1, the attackers were targeting specific types of data that they can sell and perform their reconnaissance. To combat this:
Step 2 is a little more noticeable:
Step 3 is the most noticeable of all, the ransomware attack:
The point of this article is to shed light on trends in the cybersecurity community. Understanding the motivations and goals of an attacker can only help you strengthen your security standing and find better strategies for protecting your company.