TIPS #6: How should companies protect themselves from infostealers?

Welcome to the sixth edition of #ForgepointTIPS (Threat Intelligence Portfolio Spotlight), where we examine the latest cybersecurity trends and threats and provide actionable insights for industry decision-makers. Today we explore #infostealers: the basics of this burgeoning and insidious form of malware, how it can take advantage of unsecure personal devices to reach corporate environments, and how you can take steps to secure your company.  

Issue: Infostealers steal credentials and sensitive information from infected devices and are becoming more common.  

Infostealers are malware that steal sensitive data from infected devices and package it into encrypted files which are usually sold on the black market. Criminals are then equipped to control stolen identities, commit financial crimes, and gain access to other systems. Infostealers are hard to detect and track because they act quietly in the background without announcing their presence (as opposed to more visible threats like ransomware attacks).   

Infostealers often spread through malicious attachments or links in emails, infected websites, and pirated software. One of the most common and successful vectors for infostealers is “waterholing”, in which attackers infect popular websites and advertisements (as opposed to directly targeting individual devices) to exploit browser vulnerabilities.  

Infostealers can target several types of data:  

• Browser infostealers steal browser-based information including login credentials, cookies, tokens, and browser history- and can even take screenshots of active browser sessions. Attackers can persist across browser sessions using stolen cookies, potentially bypassing multi-factor authentication (MFA).  
• Keyloggers record keystrokes to steal passwords or other sensitive data as you type.  
• System fingerprinters capture system information and build a detailed profile of operating systems, networks, servers, and hardware to ensure more effective future attacks.  
• File or data harvesters steal specific files and information on an infected computer.  

Infostealer incidents are becoming much more common: recent research from Uptycs found that these incidents more than doubled from Q1 2022 to Q1 2023. A recent example is the Meduza stealer, an infostealer uncovered by Uptycs threat researchers on June 30. Meduza targets Windows users to steal browser data including login credentials, browsing history, and data from browser extensions like password managers and crypto wallets, putting Windows-based organizations at risk. 

Impact: Stolen data can give attackers access to business systems and devices.  

Infostealers present a serious threat to organizations because they are uniquely positioned to spread beyond infected personal devices to corporate environments, especially if a user is logged in across personal and work devices on a browser like Google Chrome. A recent article from Constella Intelligence notes that users are less likely to have sophisticated security measures on home devices compared to work devices. Infostealers take advantage of weaker personal device security to give attackers access to corporate systems. 

The impacts to affected companies are significant. Sensitive or confidential data leaks, threats of ransom payments, privacy violations, loss of IP, identity theft, fraud, reputational damage, lawsuits, and increased recovery costs are all potential costs. Attackers have targeted a wide range of business tools and systems, with documented evidence of Salesforce, email, expense and benefits management services, help desk, and remote support services account takeovers. On top of serious business interruptions and impaired customer relationships, the legal and financial ramifications can be severe.   

2022 CircleCl hack 

The 2022 CircleCI hack (reported in early 2023) exemplifies the downstream effects from infostealers. DevOps company CircleCI, which provides a CI/CD platform for developers, experienced a data breach enabled by a successful infostealer attack in December 2022. A company engineer’s laptop was compromised by an infostealer which stole two-factor authentication-backed account credentials and browser cookies before escalating account access to production systems. Hackers stole data including customer environment variables, tokens, and keys in addition to encryption keys to access encrypted data. Sensitive customer data and secrets stored in code were compromised, and a limited number of customers experienced unauthorized access to third party systems. 

Action: Secure individual devices and implement strong corporate security solutions.  

1. Back to basics: password hygiene and awareness training 

Protecting passwords is at the core of defending against infostealer attacks. Enable or require multi-factor authentication for corporate and personal accounts, change passwords regularly, use complex passwords, and ensure passwords are unique (not shared across accounts). Revisit your company’s password policy regarding these steps.  

Educate your employees with best practices around evaluating suspicious links, phishing emails, social engineering, and other key cybersecurity topics to prevent an account compromise in the first place.  

2. Update, patch, and scan 

Use reputable antivirus software and regularly update and patch all software and operating systems. In addition, update browsers and strengthen browser privacy and security settings to secure devices against infected websites or advertisements. Consider using a smart browser to both enhance the browsing experience and improve user privacy and security with features like built-in antivirus, secure search, website verification, ad block, and privacy protections. 

A strong suite of cybersecurity tools to scan and address risks is critical too. Uptycs offers extended detection and response (XDR) tools to help you scan for stealer malware. You can fight back against persistent threats with Huntress’ EDR which detects infostealers based on process data. Protecting user identities is important as well; Constella Intelligence’s business protection platform helps organizations monitor identity exposures, supply chain compromises, and customer account breaches.  

3. Recovery planning and insurance  

If your company experiences a breach due to an infostealer-based attack, a strong response is essential. Boards and executive teams should have a clear incident response plan in place including protocols to alert stakeholders, employees, customers and external partners. Surefire Cyber helps you enact a holistic incident response. Converge Insurance gives you the coverage you need to protect your company.  

Thanks for reading Forgepoint TIPS! Please subscribe and share with a peer. Have feedback or a cyber threat or trend you’d like us to address? Get in touch.