Concerns About Infostealer Malware on the Rise

A survey of 320 IT security professionals in the U.S. and the United Kingdom found more than half (53%) are extremely concerned about their ability to thwart attacks that exfiltrate authentication data.

The survey, conducted by SpyCloud, a provider of a cybersecurity analytics platform, also found that, in the wake of a breach, more than a quarter of respondents (27%) admitted their organization doesn’t routinely review their application logs for signs of compromise.

AWS Builder Community Hub

Well over a third (36%) don’t reset passwords for potentially exposed applications and 39% don’t terminate session cookies.
Trevor Hilligoss, senior director of security research at SpyCloud, said these issues are troubling because the techniques cybercriminals are using to exfiltrate data have evolved. Instead of injecting malware into an IT environment that might be activated sometime later, cybercriminals are now activating malware, known as infostealers, to immediately steal authentication data such as credentials and cookies that can be used to access other services, he noted.

The malware then automatically deletes itself to leave no trace for cybersecurity teams to follow; no one knows for sure what authentication data may have been stolen, he noted.

As a result, cybersecurity teams need to assume that all the authentication data on a breached system has been compromised, said Hilligoss. In fact, SpyCloud estimates that every authentication breach potentially provides cybercriminals with access to, on average, 26 business applications.

Of course, if no one is sure whether a system has been compromised, it’s a best practice to no longer make use of tokens or any other type of persistent mechanism for authentication, he noted.

Overall, the survey found 57% of respondents worked for organizations that allowed employees to synchronize browser data between personal and corporate devices, with 54% acknowledging they struggle with shadow IT issues arising from the use of unsanctioned applications and systems. More than a third (36%) work for organizations that allow unmanaged personal or shared devices to access business applications and systems.

In addition, previous SpyCloud research found 20% of all malware logs had an antivirus program installed at the time of successful exfiltration, so the need for additional tools to combat infostealers is apparent, noted Hilligoss.

In effect, cybercriminals are employing “smash and grab” techniques to steal authentication data. The challenge is that, even when cybersecurity teams discover that data has been infiltrated, they are not sure exactly how vulnerable they are. Each time a breach is discovered, all the authentication mechanisms on any given system need to be updated, including the cookies used to provide access to external services, noted Hilligoss.

The total cost of a cybersecurity breach is rising as the remediation process becomes more extensive. The best approach to containing those costs is to regularly rotate authentications on the assumption that an infostealer has compromised the IT environment. The challenge, of course, is that achieving that goal requires both technical and cultural changes in the way cybersecurity is currently managed in most organizations.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 620 posts and counting.See all posts by mike-vizard