Hundreds of thousands of new malware variants emerge every single day, according to the AV-TEST Institute. We often hear about the most devastating malware attacks or those that spread most broadly, but unfortunately, there are many malware strains that slip under the radar and escape widespread attention due to the sheer volume of malware.
“These days, attackers are spoiled for choice when it comes to how they can get an infection started on a network,” Marc Laliberte, Sr. Security Analyst at WatchGuard, says.
We recently sat down with Laliberte to learn more about how these attacks happen and some recent malware strains which are creeping up on corporate data in 2021.
How malware attacks happen
According to Laliberte, the majority of attacks still start with a phish in some way or another.
“Sending an email or even a text message these days to try and trick an employee into either downloading a file, or going to a fake login portal and giving up their credentials. And then through that access, either just the victim downloading wherever the attachment or file was, or giving up their credentials, the threat actors can gain a foothold on the network and then do whatever they want,” he says.
Resource: IT Pro Tips for Avoiding a Phishing Attack
Laliberte’s team has also seen examples of exploit kits still running rampant on the internet, where if they can trick you into going to a malicious website under their control, and you’re not running an up to date version of your web browser, they can automatically exploit that start to attack.
Current malware strains to guard against
“A class of malware that we’ve seen really grow in popularity, are web shells,” he says. The problem with web shells is they can tend to be really difficult to detect, once they get on that server.
“An organization will have a a web server of some kind exposed to the internet. Maybe it’s their payroll application, maybe it’s Outlook Web Access. And a threat actor can exploit a vulnerability and basically drop a file on that server that then opens up a backdoor for them straight through the web application with the same permissions that that server has.”
Through that backdoor, they can then pivot and hit other holdings behind that company’s network and behind their perimeter. We’ve seen a lot of examples of these recently.
RanumBot
Hackers use this botnet attack to take over a user’s computer, and WatchGuard has recently associated it with the Remk ransomware strain specifically. Like the more popular Razy malware, it started off as a basic botnet trojan, but will now contain ransomware capabilities as well.
Laudanum
This was actually designed way back in 2014 for penetration testers.
Attackers use this web shell hack-tool to upload various file types to a website. It can take over control of the entire site if the website contains vulnerabilities in any of the languages that Laudanum covers.
The WatchGuard Threat Lab team has identified these and other variants of interest through the Firebox Feed data examined in its quarterly security reports.
Defending against them
Laliberte says it really boils down to inspecting traffic to your web server.
“Most network security appliances these days, can do HTTPS inspection really well, they basically do a man in the middle connection, decrypted inside their little ecosystem and then re encrypted on both ends.
“Now you can look for malware payloads like web shells, or just straight up malware binaries that are getting dropped on the server to and run them through anti malware tools as well. It’s through a combination of those on the perimeter with Endpoint Protection and endpoint detection response on the server itself that you really set yourself up for a chance of combating these threats.”
Other suggestions Laliberte makes:
- Look for out of date servers or applications that could maybe get patched
- Look for ones that don’t have adequate layers of protection in front of them and focus on those
- Invest in network perimeter detection with inspection and HTTPS and encrypted traffic whenever you can
- Employ strong Endpoint Protection backing that up
- Inspect encrypted traffic through your corporate perimeter
Leave a Reply