Legacy malware, often several years old, continues to haunt organizations, primarily due to the shrewd tactics employed by threat actors.
In the ever-evolving landscape of cyber threats, a curious phenomenon persists—the continual infiltration of organizations by older malware strains. Despite their antiquity and familiarity with their tactics, these legacy threats manage to slip through the cracks, exploiting reused code and outsmarting traditional defences.
While the term “legacy” may evoke images of outdated systems and forgotten technologies, in the realm of cyber threats, it takes on a more sinister connotation. Legacy malware, often several years old, continues to haunt organizations, primarily due to the shrewd tactics employed by threat actors.
Global organizations face a substantial threat due to the lax enforcement of security standards for IoT device manufacturers, exacerbated by the widespread presence of shadow IoT devices within enterprise networks. This significant risk is posed by the targeting of “unmanaged and unpatched” devices by threat actors, who often leverage these vulnerabilities to establish an initial foothold in the targeted environment.
These threat actors, operating as de facto businesses, harbour a vested financial interest in extending the shelf life of their malware. This involves the recycling and repackaging of malicious code, coupled with innovative market strategies.
Technical manoeuvres such as code recompilation, binary morphing, and the creation of fresh signatures to sidestep traditional antivirus defences are par for the course. In essence, these threat actors operate as service providers, offering easy-to-use malware kits and licensing their products as malware-as-a-service.
Unravelling the Phobos Enigma: A Tale of Persistent Threats
Enter Phobos, a ransomware strain that first surfaced in 2019, evolving from its predecessors, the Dharma and Crisis ransomware strains. Dharma and Crisis were characterized by their indiscriminate, “spray and pray” approach, targeting a broad range of victims. Unlike more targeted attacks by groups such as Cuba ransomware or Club, Dharma and Crisis cast a wide net, leveraging leaked binaries to allow random actors to deploy these ransomware strains against diverse targets.
A shift in tactics is observed with Aidbase, the group behind the later Phobos attacks. Unlike the random targeting of Dharma and Crisis, Aidbase operates with a network of affiliates, forming what could be described as a ransomware cartel. This structured approach enables more coordinated and potentially more damaging attacks.
Phobos, in its latest iteration, discovered by Qualys at the end of November 2023, poses as VX-Underground, a well-known open-source community that shares malware samples and research. Using deceptive filenames like “AntiRecuvaAndDB.exe,” mimicking legitimate software, Phobos is distributed, showcasing a level of sophistication that adds to its persistence.
Employing the UPX Packer and targeting 32-bit architectures, Phobos displays typical ransomware behaviour, checking for Cyrillic alphabets to avoid attacking friendly targets, terminating specific system processes to facilitate file encryption, and taking steps to prevent system recovery. Its persistence is achieved through clever tactics, including deleting shadow copies, disabling Windows Recovery, and turning off the Windows Firewall. Once active, it encrypts files, appending a “VXUG” extension to impersonate VX-Underground, and leaves ransom notes strategically placed across directories.
The Ongoing Success of Older Attacks: Unpacking the Enigma
The question that begs an answer is why these older attacks, like Phobos, continue to be successful despite their well-documented tactics and familiar methodologies. Several factors contribute to their persistent success:
Signature-Based Malware Detection Limitations:
Many organizations rely on signature-based malware detection, a method that struggles to keep up with constantly evolving threats. Threat actors manipulate compiled code and alter signatures with each recompilation, effectively bypassing these signature-dependent systems.
Heuristic and Behavioural-Based Anti-Malware Limitations:
Heuristic or behaviour-based anti-malware systems offer improved efficacy but are not foolproof. Threat actors can employ tactics such as code element rearrangement, diverse obfuscation techniques, and reconstructing malware into distinct binaries, challenging heuristic evaluations.
Organizational Sprawl and Resulting Défense Gaps:
As organizations expand, the sprawl of infrastructure, coupled with limited security resources, leads to defined gaps. Overworked security teams may overlook potential security vulnerabilities resulting from inadequate configurations or neglecting essential security updates.
Integration of New Users and Systems:
The growing dependence on third-party services introduces new attack surfaces into existing infrastructures. The integration of third-party appliances, each with unique configurations and defined mechanisms, demands rigorous security evaluations to prevent inadvertent vulnerabilities.
The stakes are higher: Regulatory Changes and Consequences
The potential impact of a breach on a business goes beyond the immediate consequences like business interruption, loss of customer trust, and mitigation costs. Regulatory changes bring forth the risk of much heavier losses, such as the non-renewal of federal contracts. A breach linked to a known issue identified by a government agency like CISA (Cybersecurity and Infrastructure Security Agency) can lead to severe consequences, making it imperative for organizations to address identified vulnerabilities promptly.
Shoring Up Defences: Strategies Against Reconditioned Attacks
Defending against revitalized attacks necessitates a multi-faceted approach, aligning with the principle of defence in depth. This involves creating and maintaining multiple layers of security controls that protect against different attack vectors.
Complement Signature-Based Detection:
Augment signature-based detection methods with behavioural analytics and heuristics. This two-pronged approach enhances detection, reduces false positives, and aligns with the defence-in-depth principle.
Attack Surface Management (ASM) Tools:
Utilize offensive-oriented ASM tools to test system resilience and identify security gaps. Tools like Cymulate ASM, with dual internal and external capabilities, assess not only exposed assets but also internal exploitable assets and weaknesses in attack paths.
Keep security controls up-to-date.
Continuously update and maintain security controls, including firewalls, antivirus software, and intrusion detection systems. Frequent validation of control effectiveness is crucial to avoid security drift, and tools like Breach and Attack Simulation (BAS) simulate real-world cyberattacks to assess control resilience.
The success of these older attacks serves as a stark reminder of the limitations of traditional signature-based detection methods. Embracing and validating more dynamic approaches, such as behavioural analytics and heuristics, is crucial in fortifying defences.
Leveraging tools like Cymulate’s Attack Surface Management and Breach and Attack Simulation enables proactive identification and resolution of vulnerabilities, automating the validation process in the ongoing battle against persistent threats.
Also read: Cloud Security: A Comprehensive Study of Risks, Challenges and Emerging Trends
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.