Malicious actors are finding success deploying information stealer (infostealer) malware, combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks.
These were among the findings of a report from Accenture’s Cyber Threat Intelligence team (ACTI) surveying the infostealer malware landscape in 2022, which also noted a spike in the number of Dark Web advertisements for variety of new infostealer malware variants.
The marketplace for compromised credentials is also growing, according to the report, which takes an in-depth look at a Russian market site used by malicious groups RedLine, Raccoon Stealer, Vidar, Taurus, and AZORult to obtain credentials for sale.
Paul Mansfield, cyber-threat intelligence analyst at Accenture, explains the most important point to understand about the rise of the rise of infostealer malware is the threat to corporate networks.
“There are many examples throughout 2022 of infostealer malware being used to harvest the credentials which serve as an entry point for further attacks,” he says.
For Mansfield, the most concerning finding from the report was the damage that can be done at such little cost to the threat actor.
“The malware generally costs around $200 for one month plus a few other minor additional costs,” he notes. “During that time, they can steal a high volume of credentials from around the globe, pick out the most valuable for targeted attacks — of which there have been several high-profile examples in 2022 — and sell the rest in bulk to marketplaces for others to do the same.”
Ricardo Villadiego, co-founder and CEO of Lumu, says the rise of infostealer malware is a consequence of the ransomware-as-a-service business (RaaS) model boom.
“There are as many variants of infostealers as people willing to pay for the code,” he explains. “The people behind infostealer malware attacks range from individuals with low technical skills to groups allegedly sponsored by governments.”
He adds that what those groups of people have in common is the interest in gathering sensitive data (personal data from their computers, including login credentials, bank account details, cryptocurrency addresses, and granular location data).
“They understand that information is currency in the modern world,” Villadiego says.
Beyond the Limits of MFA
The report highlighted the growing effectiveness of MFA fatigue attacks, which involve repeated attempts to log on to an MFA-enabled account using stolen credentials, thereby bombarding a potential victim with MFA push requests.
An earlier report found that while MFA has gained adoption among organizations as a way of improving security over passwords alone, increasing theft of browser cookies undermines that security.
“MFA uptake has been rapid since the shift to remote working caused by COVID that now means many workers are conditioned to automatically accepting MFA requests, associating them with security,” Mansfield says. “Threat actors have realized this and are attempting to take advantage of it.”
Villadiego points out that MFA fatigue is an “incredibly simple” technique, and it was popularized because of the Uber breach.
The bad actor appeals to the user getting “tired” of multiple push notifications claiming to be second-factor verifications and he or she accepts it to make it go away.
“This kind of technique will continue to increase during the holidays and result in high-profile breaches because we have a highly distracted workforce and the temptation to make messages or push notifications go away is even greater,” Villadiego predicts.
He says the key takeaway is that the cybercriminal will find a way for the user to fall for the scam.
“They know that if they try hard enough, and consistently enough, the user will eventually cave in,” he says. “Companies can have all the best-in-breed protection, but attacks evolve infinitely and defenses must evolve as well.”
Villadiego adds it’s about having the right controls and the intelligence in place to mitigate all contacts with the adversary as soon as they get in — and to contain the impact that an attack can have on an organization.
Mansfield says as threat actors observe how successful other groups have been in 2022 — e.g., those behind Raccoon Stealer, Redline Stealer, and Vidar — more will enter the scene and create a more competitive market.
“This in turn will drive innovation, so we expect to see new stealers with additional features to those we have seen in 2022,” he explains.
Villadiego says that infostealer malware allows cybercriminals to get a “world-class company revenue,” and that’s why Accenture forecasts it will keep growing as one of the predominant attacks affecting companies, individuals, and governments in 2023.
“It’s likely that we’ll see infostealers as one of the top three most prevalent attacks by the end of next year, competing hand in hand with Emotet and cryptomining botnets,” he says.
Defending Against Infostealer Malware
Mansfield says organizations can protect against infostealer malware by ensuring operating systems and software are fully updated and that staff are trained on how to spot and deal with suspicious emails and links and also use antivirus software.
He suggests implementing MFA best practices, pointing to the US Cybersecurity and Infrastructure Security Agency (CISA) as a resource that can provide some guidance on the topic.
Villadiego adds one immediate step an organization can take to shore up defenses against infostealer malware is to look inside the network.
“You need broad visibility, and most companies don’t have it,” he says. “You need real-time intelligence of when and how the bad actor is getting in, so you can do something about it before the damage is too great to contain.”
He says it’s important to remember these attacks don’t happen in seconds — the adversaries are leaving breadcrumbs and telegraphing what they are about to do, but IT security teams need to spot the attack and have a way to respond to it in real time.
“The bad guys constantly tell us what they are going to do; we just have to look closely, and we have to believe them, not turn a blind eye,” he says. “There’s no such thing as small threats.”
He points out that many major cyberattacks are preceded by intense cryptomining and domain generation algorithm activity.
“This activity usually goes under the radar of conventional solutions,” Villadiego says. “That’s why modern attacks require paying attention to precursors and to act decisively against threats like infostealers.”