Infostealer Malware 101: mitigating risks and strengthening defenses against this insidious threat.
[ Music ]
Rick Howard: Hey everyone, welcome to CyberWire-X, a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, N2K's chief security officer and the CyberWire's chief analyst and senior fellow. Today, Dave Bittner, the senior producer and host of many of the CyberWire's podcasts, will be joining me at the CyberWire's Hash Table to discuss post infection remediation, or PIR. After the break you'll first hear my conversation with Rick Doten, the CISO for Healthcare Enterprises Centene, and then Dave will talk with Trevor Hilligoss, the director of security research at SpyCloud, the sponsor of this show. Come right back.
[ Music ]
Incident response has been around as a concept since the late 1980s, when it practically sprang out of whole cloth from Dr. Clifford Stoll, when he published his communication of the ACM journal article called, Stalking the Wily Hacker in 1988, and his subsequent cybersecurity canon Hall of Fame book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, in 1989. While tracking East German hacker mercenaries hired by the Russian government to break into U.S. academic systems in order to compromise U.S. Government systems, because let's face it, back then there really wasn't anything close to cybersecurity. The internet was mostly a collection of cans tied together by strings. Dr. Stoll invented incident response and for the most part, the practice hasn't really changed much in terms of the big picture. To get some color on that, I reached out to Rick Doten, an old friend of mine. A regular here at the CyberWire Hash Table, and fun fact, has been a judge multiple times at the American Pie Council's Annual National Pie Championships. Who knew? But he's also the CISO for Healthcare Enterprises at Centene, a Fortune 500 Company, and in his early days, he managed the commercial penetration and incident response team. So, I started out asking him what it was like in those early days after Dr. Stoll invented the idea.
Rick Doten: Yeah, I originally ran ethical hacking teams in the late '90s and the early 2000s and then we realized that we needed to respond to incidents that our customers had and so we put together one of the first forensics retainers on being able to do that. I mean obviously we weren't the first, but our peers at 2000-2001 were doing the same thing. It's a niche thing. Not a lot of people do this and even in the executive group, you know, very few CISOs came up through the incident response. You and I have talked about over, you know, the last decade that you know, that the defense industrial base, this intelligence response was a very common thing that was not in other industries outside of DC and so you know, we had to educate folks and you know, 10, 13 years ago, in other industries, including the financial industry, about hey, don't just like; what happened, how'd it happen, make it stop, make sure it doesn't happen again. There's a whole bunch of little things in between that we want to learn from and do to you know, enrich that. In cybersecurity, you know, I always say that a pen tester, and an incident responder are two sides of the same coin. And so we found the pen testers made really good incident responders because they're digging through and looking for things to be able to say, what happened, how it had happened.
Rick Howard: That's a really interesting insight, because as a pen tester it's more often [inaudible] so you have that perspective but if, then if you're going to turn around to be an incident responder, you know how the offensive guys team did it and so you're looking for things, right? On the defensive side that you can shore up. I had not really put that together and you would think I would have done that by now.
Rick Doten: Well it's also the personality of being able to thrive in chaos, failing quickly, doing multiple things at once. These are things that both sides do really well, as opposed to like a pure play forensics person who is very single threaded, you know, doing things very meticulously for maintaining chain of custody, you know, or much slower in their process and don't want to fail because I've got to get this image correct because I only have one shot at it. And so, the forensics piece of the actual acquisition is very different, but incident response is exactly how it's described, it's the opposite of pen testing.
Rick Howard: Well, and there's all kinds of phases to incident response too, right? Besides just stopping the pain, okay, there are lots of things you have to do inside the, inside the company, in terms of managing crisis and deciding if it's serious and deciding if it's not. How far you need to escalate it up the company, doing a public announcement, and we're not even talking about all that. We're really just, in this discussion, we're just talking about the technical things that you need to get done and I was really intrigued at something you said we were discussing this before we came on the air, Rick, you know, most small, medium size organizations don't have the resources to do a full out incident response action plan. Most people just want to stop the pain and you know, get them out.
Rick Doten: Yeah, I say all the time is remember, there's a Fortune 500 in five million other companies. You know? So, that's a 0.00001 percent have resources, money, and people. And most don't. When I was a virtual CISO for five years, the thing that I found most lacking in all my customers around the world is no incident response program. You know, they had boxes that were lighting up when things happened. They had things they were supposed to protection detections, but if something happened, A, they weren't alerted, and B, they didn't know what to do, because there was no plan and there were no people. So I think that's the thing that the most organizations don't have that. They just expect the technology to protect them and detect if something's wrong and tell them what to do about it and not this whole formulated thing that you described. There's communication and there's maybe legal involved, there's you know, people involved, there is data protection and privacy things involved, there's business resiliency things involved, and it's not just a what happened and you know, make it stop.
Rick Howard: Or even for startups small and medium sized companies, stop the pain, yes, yes, yes, all that and more. But there might be some things you want to do after it's all over and they're called post-infection remediation, which is a fancy name for things you need to do after the pain has stopped and you're trying to recover from all this, and one of them was remove the malware if possible. I wonder if you could talk about that because that seems to be a problem, not even for small companies but for, I don't know, even Fortune 500 companies, they seem, that malware seems to find its home somewhere that no one has located before.
Rick Doten: Yeah, I mean the last 10 years, we've had much more persistent adversaries who want to maintain this persistence and so it's not just a, here's a file that's known to be bad and your antivirus catches it and quarantines it. But it is a multi, sometimes, multi-stage process. There might be a PDF that is completely benign until you open it and it launches an executable which then, installs some registry entries to put some hooks in, opens up a listener for command and control channel, and then you know, goes and tries to mail itself or propagate itself across the domain to other systems. And so, when you find that this one patient has infected and you say oh, okay, I deleted this you know, badware.exe, but I didn't delete the PDF from which it was spawned and I didn't know it and it entered, you know, four registry entries and I didn't know it opened a, opened a port as a listener and I didn't know that it also tried to propagate itself. So that's why I think it's prudent to say if possible. That's one of the things that the early, before EDR was an EDR, you know, there was I guess [inaudible] still exist, but the very first iteration of [inaudible], I used to love that because it would give me this whole life cycle of this is the PDF, this is what was launched, this was created, this is the things, and I can use that as a recipe to take all of that out at one time. And then search across all of my other devices to, has anything, has this registry entry anywhere else? Is this listener, this port opened on you that shouldn't be anywhere else, is this executable or PDF open anywhere else?
Rick Howard: The example I always go to for these kinds of discussions is the OPM breach from a number of years ago. The IT staff didn't even notice that the Chinese were in their network for a year, but when they finally noticed, they assumed they were in that one spot where they noticed the effort, right? They didn't understand that it was rampant through their organization. And then when they finally brought in a third-party contractor who did the analysis and found it all and got rid of almost everything, they missed one version of it that ran on a, you know, a remote Linux box, and so it was still inside their network. So, what's the advice do you give to these kind of small-medium companies who don't have the resources to track that kind of thing down?
Rick Doten: Right, you have to hire help. I mean, unless you have a good person. Now you also, the advantage is it's a small infa-footprint, you know, 99.9 percent of organizations in the U.S. as you kind of point out, or less than 500 people, they're small footprints, they're also today mostly work from home, so you're not on this broadcast domain that it's easier to traverse because everyone's somewhere else particularly in these smaller companies that are completely, you know, cloud native. But that's a very common thing to miss that in that description I just said, that oh, and one of those actions was, who are the domain admins and let me go to domain controller, let me past the hash and get the admin password, create my own backdoor, my own domain admin on the domain that nobody even noticed and maintain persistence that way, so I clean up everything, but they already have a backdoor because they have a domain account sitting there. So very, very common, so all of the incident responders are kind of trained now to be very, very comprehensive. But back to your question; what should small companies do? You hire people who do this for a living, you know? That's one of the advice I've given people before was, you know, virtual CISO is kind of like having outside counsel, a small company can't have you know, pay for an inside general counsel so they have them outside, and it's the same kind of thing with security.
Rick Howard: Well, I mean there's a whole list of things you probably could do, but I agree with you, Rick, especially if you're a small to medium sized company, maybe you might purchase insurance so that you can pay for this kind of thing when it happens, maybe that's the way you do it. Or, just bite the bullet when it does happen, just to make sure that you can be safe going forward. You did this for a long time, what was the go-to move after you guys remediated the initial problem? What did you tell your clients to do most of the time?
Rick Doten: Well, learn from this, you know, because usually when we went in and fix something, it was, we found a whole bunch of other things, like you know, this happened because this wasn't turned on, or you realize you have a different version of xyz across all this and you know, you don't have this on all of these devices so, it's the learning what to do to improve it to make sure it doesn't happen again in the short-term is, you know, here's all the stuff as an opportunity because we just had this event, you now have the attention to maybe get some money to fix the things that you've probably been asking for forever, but now it's been realized.
Rick Howard: Well, good stuff, Rick. Thanks for coming on and explaining this. I really appreciate it.
Rick Doten: Alright, thank you very much for having me.
[ Music ]
Rick Howard: Next up is Dave Bittner's conversation with Trevor Hilligoss, the director of security research at SpyCloud, our show's sponsor.
[ Music ]
Dave Bittner: So, today we are talking about infostealers. Can you give us a little bit of the background and I don't know, lay of the land in history of what brought us to where we are today when it comes to infostealers?
Trevor Hilligoss: Oh boy, how much time do you have? There's been a lot. Yeah, so infostealers as a type of malware, are not new. They've been around for I think we're coming on a decade-ish, depends on you know, what you count as, I guess, patient zero. You know, infostealers I like to joke, folks in security, we're I guess I'll speak for myself, unimaginative in our naming conventions. So you know, infostealers are party descriptive but we're basically talk about a type of malware whose entire purpose of existing is to steal information from an infected host, right? So generally speaking, and this has changed, depending on when you look at it, in time, generally speaking non-persistent malware so, you know stealthy delivered to a host, executed, performs it, you know, stealing functions, which vary from malware to malware. When the next [inaudible] that data off to a place that the attacker can access it, and use it for a variety of purposes, typically we're talking fraud, some kind of monetization, but really it runs the gambit, it runs everything from ransomware to you know, espionage type stuff, to just good old data theft. That was [inaudible] sites, so yeah, it's a, it is a broad spectrum of nasty stuff.
Dave Bittner: Can we go through the infostealer life cycle? I mean how does, how does one typically find one's self falling victim to this and what's the process by which it does its business?
Trevor Hilligoss: You know, generally speaking, if we're talking about attack vectors, but we see, and just to kind of clarify, when I talk about you know, observation, stuff like that, we were, my insight into this comes mainly from the post-exfiltration so we're looking at the data that's actually stolen by these infostealers, not necessarily looking at you know, doing reverse engineering of any binaries, although we have done that. I often find that it's more interesting, or it can be more interesting to look at the proceeds of this type of malware, especially for questions about, you know, what the intent is, but the general attack delivery, at least the most successful, tends to be some kind of you know, ruse. So we've seen everything from using some kind of like Ad Sense, maybe they're going to post like an ad on Google describing something as a popular messaging app, say like Signal or Telegram, or you pick your app, and that directs you to a website that's carefully crafted to look like, or be believable enough to be the, you know, the real thing. But in fact what you get is a red line, a Raccoon or another infostealer. That tends to be common and it also tends to be fairly short-lived, right? Google's pretty good at catching those things. But if you think about it, the amount of eyeballs on the internet these days, it doesn't, you know, and that doesn't have to be live for too long for it to get quite a few clicks. Similarly we also see, and this is I guess kind of a recent change, at least the past couple years we've seen this spike up, but using things like compromised YouTube channels, so you know, hackers will essentially take over someone's popular YouTube channel and then use that and its built-in fan base to spread an infostealer quite broadly. But one of the biggest, you know, links between all of these, quite honestly, is the use of social media and you know, socially relevant things. So, games, cracked software, all of that stuff tends to be you know, kind of the dealer's choice of these malware operators that are running these schemes.
Dave Bittner: And how do you assess the technical sophistication of these packages, are we talking about sophisticated things or is this the entry level for folks who are out there developing malware?
Trevor Hilligoss: So that's actually a really good question, Dave. One of the really interesting things about infostealers is a lot of these operate as what we call malware as a service. So how I like to describe this is you know, we're all, we're all kind of familiar with sort of like managed software, right, so think about like, you know, Adobe Photoshop. You subscribe to a monthly subscription, maybe it's a yearly subscription. It gets you access to the software, you get support that comes with it so if something goes wrong you can contact Adobe, they'll help you out, you know, there's other things that are sort of packaged up in that one subscription deal. The analogy is basically the same for infostealers. Malware as a service infostealers. These criminals developers will create this malware, they will, you know, publish it on criminal forums online, and then market that to other criminals who typically pay either weekly or monthly subscription fees, and those can range anywhere from you know, $50 up to $200, I think the highest I've seen was like $250, paid in crypto obviously. But then you know, that allows that user who might not be very sophisticated, maybe they couldn't have created that malware on their own, but because they were able to pay that money to the person that did create it, now they're able to have this malware that they can deploy. And then they can, you know, reap the proceeds from it. So, it's almost like a distributed method of criminality, it doesn't-- we talked about sophistication, typically we're talking about like nation-state actors and those are like the very sophisticated but what's kind of crazy about the infostealers and the malware as a service model is, you know, it almost democratizes this, sophistication right? You don't necessarily need to be some kind of like lead hacker with all of these coding experiences to be able to do a lot of damage. Because you can take something that was built by somebody else who does have those, you know, that experience and those skills and then craft your own relatively low sophistication ruse and still be able to victimize, you know, a massive amount of people.
Dave Bittner: Help me understand what the specific concern here is for the corporate cybersecurity professional. I mean are infostealers targeting individuals and the corporation gets infiltrated as a side effect, or are they targeting companies as well?
Trevor Hilligoss: Yeah, so I don't know who, I don't know who said this quote originally, so I'm probably going to steal it from somebody, but there's this mechanics quote, it goes something like; 90 percent of the problems in a car are between the driver's seat and the steering wheel. Right? I think, I think you could apply that very easily to IT. In terms of like, you know, do these infostealers target companies? I'm not going to say no, I'm sure there are, you know, there are criminals out there that are definitely targeting specific companies, but oftentimes it really seems like more of a spray and pray methodology, right? We're going to infect the maximum number of victims that we possibly can and then in sorting through you know, the proceeds of those infections, we'll find a gem. And that gem might be if you're an initial access broker, maybe it's, you know, some Fortune 500, Fortune 1000 company that you're going to be able to sell that access to a ransomware affiliate that can then, you know, infect that company or exfiltrate data and charge a ransom. It could be, you know, on a lower level, somebody that's interested in carding or identity theft, right? All they're looking for is things they can sell to other criminals or even use themselves. It could be even more simple than that. So the real big danger, really in all of that, is corporations are made up of individuals, right? So, even if something isn't necessarily targeting you as a corporation by name, you know, your employees being human beings and being online people, are still part of that targeting pool. So, if you have a situation where you have maybe unmanaged or under managed, or you have like bring your own device policies. Basically anything that you know, allows access to your environment that's not necessarily tightly controlled or monitored, you're kind of increasing your vulnerabilities to this kind of malware because those employees that are doing things, maybe on their personal device, could leak information that does connect back to your corporate infrastructure and then in turn it could turn into a you know, a significant event.
Dave Bittner: What are your recommendations then? I mean for folks to best protect themselves against this, what sort of things should they be focused on?
Trevor Hilligoss: Yeah, so we just released a report that in part surveys a bunch of security professionals asking a lot of questions about how they, you know, see infostealers, whether they're worried about them, what their security controls consist of. Alongside that, my team, my research team did some, our own research on the data and we looked at what do we see in these logs and kind of what context can we provide to the greater, the greater survey and one of the things was really interesting from that was we found greater than one-fifth of all of the infostealer logs, so these are logs, folders, you can think of them like folders containing a bunch of files that were stolen from a device. One-fifth, so 20 percent of those logs had an installed antivirus appliance at the time of execution. So, the easy thing would be to say, you know, make sure your security controls are very good. Make sure you have good antivirus, make sure it's well-updated, make sure you have visibility of your networks, you know, you decrease bring your own device policies, you monitor things like MFA and you have good you know, cookie revocation policies, all of those things that are great policies in general, none of that is infallible, right? And I'm not saying don't do that stuff. Definitely do all of that, please. But you know, as a security practitioner, it's really good to do all of those things and still have a backup plan. And I would saw that backup plan really is visibility and it's visibility beyond what we traditionally consider part of the, you know, sort of digital forensics instant response process. So we're hyper focused on devices, we're really focused on networks and things like firewall logs and application logs and all these kind of things, but with infostealers especially, we have this sort of wild card variable at play that is everything that was taken from that device, that we might not have a record of, you know, if you ask me like hey, give me a list of all of the accounts that you have, I mean I could probably construct like an 80 percent list, but I don't know all the accounts that I have, right?
Dave Bittner: Right.
Trevor Hilligoss: Maybe that's just me, maybe somebody else has much better awareness of their online environment.
Dave Bittner: No, I don't think it's just you. I think we all, I think we all suffer from that, all those legacy accounts that just, I sometimes call them zombie accounts, you know, because they just hang around and they refuse to die.
Trevor Hilligoss: That's good. Zombie, okay, yeah.
Dave Bittner: Yeah, exactly, right?
Trevor Hilligoss: I mean we're so deeply invested in the internet, that you know, our online identity really has become our identity. You know, IRL has become just RL, and I think you know, that kind of situation, it becomes very difficult. So you know, having that-- at least having that understanding, approaching an incident with, I'm going to look at this device, obviously I'm going to do a good incident response you know, forensic centric incident response, but also what else could have been stolen? What types of you know, session tokens could have been stolen? What are the validity periods of those? What kind of, you know, maybe there was API tokens, we're talking about like a developer or somebody that has access to that kind of, you know, internal systems. What other information could be on there? Intellectual property, a lot of stealers will actually steal files, you know, full fat files from a desktop, or a documents folder. So what was in those files? Is that intellectual property? Is it something that might be export controlled, right? There's all these other questions that we start asking and just having the knowledge and the foresight to ask those questions, I think is really half the battle.
Dave Bittner: I know you and your colleagues there at SpyCloud, you have this notion of post-infection remediation. I mean is that really what we're getting at here?
Trevor Hilligoss: Yeah. Yeah, basically. So, you know, post-infection remediation, again with the names, you know, we're pretty simple people. I think it's pretty descriptive, you've got to break it down for people like me that used to work for the government. But it's basically that. Do all the great incident response things that, you know, we've all learned from SANS or whoever else, we've gone to all these classes and learned these things. Do those, but also you know, consider outside of the devices, especially as we start, or not even start, right, this is well on its way, like we're very cloud focused now. We've got all these different appliance, third-party appliances, security appliances that are out there, SSOs, you know, our environment is no longer just a computer or even just a network, right? It's, our corporate environment is much larger now. So, consider those things and understand things like if I have a cookie, an authentication cookie and it's valid, then I also have some basic device information like your screen size and your OS type, some of that stuff. I can become you, right? It's not hard, there's open source tools out there that allow me to essentially emulate your device and pass that cookie as if I was just hitting F12 and refreshing the page. And so, in that kind of a situation, you can have the best multifactor authentication in the world, if I can do that and maybe I can exit from like get a residential proxy and one of your neighbors down the street, or even you specifically, right? Your own router. I can look basically identical and so it's very difficult to control for that, so PIR is basically, let's summarize all of that, bring ourselves you know, expand your consciousness, it's like that you know, big brain meme, right? Expand your consciousness beyond just this device and think about all the other pieces of information that we create either intentionally or unintentionally and are still out there in the environment that we need to control for.
Dave Bittner: As you're out and about, you know, working with folks on this problem, to what degree are they self-aware? I mean are people accurate and up to date on the reality of their vulnerability to this? Or, are people whistling past the graveyard?
Trevor Hilligoss: I like that, let's [inaudible] past the graveyard. I think security, I'll speak for myself, I have a tendency to be overly pessimistic. We have an amazing amount of experience and knowledge and you know, there is a lot of awareness, now is that enough? I don't know the answer to that question necessarily. I think, you know, going back to the survey that we did, we had a lot of respondents say that they were concerned about this and that they're you know, they're at least cognizant. I think one of the statistics was like 98 percent I want to say, they would want better visibility into at risk appliances. So, that tells me that people are at least aware of what they don't know. You know, knowledgeable that they need to close that gap as much as possible, but when you get into the specifics, especially that infostealer malware, because it is very niche, right? This is something that not everybody has dedicated their life to this like I have, don't recommend that, in fact you should have a hobby, but you know, something that you know, specific, it's that is much more niche, and so that's why I see like what I like doing is what you're offering me today, a platform to come on and sit and talk about this because I'm not saying, you know, you're going to listen to this podcast and become an expert on infostealers, but hopefully some of the things that I've said have hit a nerve and maybe if you were part of that 98 percent that said, yeah, we want to know more, maybe one of these things that I said has kind of keyed into that and giving you a question to ask or something to, a bit of information to go after. So that's kind of what I would say in terms of like general knowledge and how do we spread the message. I think it's just kind of being repetitive and saying the same things and highlighting what I see and some of my peers see, as significant vulnerabilities and things that are precursors to things like ransomware and then raising the visibility kind of at large.
Rick Howard: We'd like to thank Rick Doten, the CISO for Healthcare Enterprises and Centene, and Trevor Hilligoss, the director of security research at SpyCloud, for helping us get our arms around the idea of post-infection remediation. And we'd like to thank SpyCloud for sponsoring the show. This has been a production of the CyberWire and N2K. And we feel privileged that podcasts like CyberWire-X are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence, optimizes the value of your biggest investment; people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben, our sound engineer is Tre Hestor, and on behalf of my colleague, Dave Bittner, this is Rick Howard signing off. Thanks for listening.
[ Music ]