{"id":52772,"date":"2024-12-13T14:05:30","date_gmt":"2024-12-13T19:05:30","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52772"},"modified":"2024-12-13T14:05:30","modified_gmt":"2024-12-13T19:05:30","slug":"infostealers-targeted-attacks-business","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/infostealers-targeted-attacks-business\/52772\/","title":{"rendered":"Why infostealers are a threat to big business"},"content":{"rendered":"<p>Although malicious programs that hunt for passwords, financial, and other sensitive data have been around for over 20 years, the word \u201cinfostealer\u201d was coined only in the early 2010s. Recently, however, this relatively simple type of malware has been popping up in unexpected role \u2014 deployed as a springboard for major targeted hacks and cyberattacks. For example, the theft of the <a href=\"https:\/\/www.nytimes.com\/2024\/05\/31\/business\/ticketmaster-hack-data-breach.html\" target=\"_blank\" rel=\"nofollow noopener\">data of 500 million Ticketmaster customers<\/a> and a <a href=\"https:\/\/www.zdnet.com\/article\/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes\/\" target=\"_blank\" rel=\"nofollow noopener\">ransomware attack on the Brazilian Ministry of Health<\/a> were both traced to infostealers. The main challenge posed by infostealers is that they can\u2019t be defeated solely at the infrastructure level and within a company\u2019s perimeter. The non-work activities and personal devices of employees also need to be considered.<\/p>\n<h2>Modern infostealers<\/h2>\n<p>Infostealers are programs indiscriminately installed on any accessible devices by threat actors looking to steal sensitive information of any kind. Their primary target is account passwords, crypto wallet credentials, credit card details, and <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-control-your-cookies\/43303\/\" target=\"_blank\" rel=\"noopener nofollow\">browser cookies<\/a>. The latter can be used to hijack a user session in an online service. In other words, if the victim is logged in to a work account in the browser, by copying cookies to another computer an attacker in some cases can gain access to it without even knowing the victim\u2019s credentials.<\/p>\n<p>Infostealers can also:<\/p>\n<ul>\n<li>Intercept email and chat messages<\/li>\n<li>Pilfer documents<\/li>\n<li>Steal images<\/li>\n<li>Take screenshots of the screen or windows of specific applications<\/li>\n<\/ul>\n<p>And there are <a href=\"https:\/\/www.recordedfuture.com\/research\/rhadamanthys-stealer-adds-innovative-ai-feature-version\" target=\"_blank\" rel=\"nofollow noopener\">exotic specimens<\/a> that apply optical character recognition to read text in JPG image files (pictures of passwords and financial data, for example). The infostealer sends all collected data to the C2 server, where it\u2019s stored pending resale on the dark web.<\/p>\n<p>Among recent years\u2019 technical developments in the field of infostealers are: new methods of <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/infostealer-malware-bypasses-chromes-new-cookie-theft-defenses\/\" target=\"_blank\" rel=\"nofollow noopener\">stealing data from protected browser storage<\/a>, modular architecture for harvesting new types of data from already infected computers, and <a href=\"https:\/\/www.helpnetsecurity.com\/2024\/08\/09\/maas-threat-landscape\/\" target=\"_blank\" rel=\"nofollow noopener\">migration to a service model<\/a> for distribution of this malware.<\/p>\n<p>The cybercriminal market demands versatile infostealers, capable of data theft from dozens of browsers, crypto wallets, and popular applications, such as Steam and Telegram. The stealers must also be resistant to detection by security software, requiring developers to make frequent modifications to the malware, repackage it, equip it with anti-analysis and anti-debugging tools, and beef up its stealth. The \u201cvendors\u201d also often need to re-upload packaged malware to different hosting sites. This is necessary because old sources of malware are quickly blocked by infosec companies in cooperation with search engines and hosting providers.<\/p>\n<p>Infostealers are mainly made for Windows and macOS systems \u2014 with the latter case being far from exotic but an up-and-coming segment in the cybercriminal market. There are stealers for Android, too.<\/p>\n<p>Some common delivery channels for infostealers are spam and phishing, malicious advertising, and SEO poisoning. Besides campaigns involving infostealers kitted out with hacked software or game cheats, such malware may also be installed under the guise of a browser or antivirus update, as well as video conferencing applications. But in general, attackers monitor the zeitgeist and clothe their malware accordingly: this year, fake AI image generators were popular, and during the global CrowdStrike outage, there even appeared an infostealer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-crowdstrike-repair-manual-pushes-new-daolpu-infostealer-malware\/\" target=\"_blank\" rel=\"nofollow noopener\">masquerading as device recovery instructions<\/a>.<\/p>\n<h2>Infostealer ecosystem<\/h2>\n<p>A clear division of labor has taken root in the world of cybercrime. Some threat actors develop their own infostealers \u2014 plus the tools to manage them. Others get these programs onto victims\u2019 devices using phishing and other techniques. Still others utilize stolen data. These three categories of criminals usually operate independently \u2014 not as one group, but they do have commercial relations with each other. The first of them increasingly offers infostealers under the malware-as-a-service (MaaS) model, often packaged with a handy cloud-based dashboard for customization.<\/p>\n<p>The operators of actual attacks spread the malware but don\u2019t use the stolen data themselves \u2014 instead putting large databases of harvested information up for sale on underground forums where other cybercriminals buy them and search for specific data they want using special tools. The same database can be purchased and repackaged many times: some buyers will extract gaming accounts, others look for bank card details or accounts in corporate systems. This latter type of data in particular has been gaining popularity since 2020 as threat actors have come to realize it provides a stealthy and effective way to penetrate an organization. Stolen accounts allow them to log in to a corporate system as a real user without exploiting any vulnerabilities or malware \u2014 thus arousing no suspicion.<\/p>\n<p>The COVID-19 pandemic forced companies to make greater use of cloud services and allow remote access to their systems, causing the number of potentially vulnerable businesses to skyrocket. And more company employees are now using remote access from personal computers, where information security policies are less well-enforced (if at all). Thus, a home computer infected with an infostealer can ultimately lead to unwelcome guests in the corporate network.<\/p>\n<p>Attackers who have obtained corporate credentials verify their validity and pass this filtered data to the operators of targeted cyberattacks.<\/p>\n<h2>How to guard against infostealers<\/h2>\n<p>Securing every corporate computer and smartphone (EDR\/EMM) is only the start. You need to also protect all employees\u2019 <strong>personal<\/strong> devices against infostealers, and, in case of infection, mitigate the consequences. There are several ways to address this issue \u2014 some of which complement each other:<\/p>\n<ul>\n<li>Deny access to corporate systems from personal devices. The most drastic, inconvenient, and not-always-feasible solution. In any case, it doesn\u2019t fix the problem entirely: for example, if your company uses public cloud services (email, file storage, CRM) for work tasks, a blanket ban will be impossible.<\/li>\n<li>Use group policies to <a href=\"https:\/\/www.kaspersky.com\/blog\/disable-browser-sync-enterprise\/47460\/\" target=\"_blank\" rel=\"noopener nofollow\">disable browser synchronization<\/a> on corporate computers so that passwords don\u2019t end up on personal devices.<\/li>\n<li>Implement phishing-proof two-factor authentication at the corporate perimeter, in all important internal and public services.<\/li>\n<li>Make mandatory the installation of an <a href=\"https:\/\/www.kaspersky.com\/next?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____a8c0f733e524af27\" target=\"_blank\" rel=\"noopener nofollow\">Enterprise Mobility Management (EMM)<\/a> solution on personal laptops and smartphones in order to monitor their security (check for up-to-date security solution databases, whether the solution is disabled, and whether the devices are password- and encryption-protected). A properly configured EMM system maintains strict separation of work and personal data on the employee\u2019s device and doesn\u2019t affect personal files and applications.<\/li>\n<li>Deploy an advanced <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-benefit-from-identity-security\/48399\/\" target=\"_blank\" rel=\"noopener nofollow\">identity management system<\/a> (for the accounts of employees, devices, and software services) across your organization to help quickly locate and block accounts showing abnormal behavior; this will prevent, for example, employees from logging in to systems not needed for work or from suspicious locations.<\/li>\n<li>Get the latest <a href=\"https:\/\/dfi.kaspersky.com\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">dark-web threat intelligence<\/a> with live reports on fresh leaks of your corporate data (including stolen accounts).<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"49083\">\n","protected":false},"excerpt":{"rendered":"<p>How a simple, well-known general threat became a key targeted-attack vector on companies. <\/p>\n","protected":false},"author":2722,"featured_media":52773,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[187,3244,422],"class_list":{"0":"post-52772","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-passwords","10":"tag-stealers","11":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/infostealers-targeted-attacks-business\/52772\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/infostealers-targeted-attacks-business\/28379\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/infostealers-targeted-attacks-business\/23637\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/infostealers-targeted-attacks-business\/28511\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/infostealers-targeted-attacks-business\/38774\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/infostealers-targeted-attacks-business\/34463\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/infostealers-targeted-attacks-business\/34087\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/stealers\/","name":"stealers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52772"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52772\/revisions"}],"predecessor-version":[{"id":52774,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52772\/revisions\/52774"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52773"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}