The global WannaCry epidemic has brought malware to the forefront of every major news outlet and has every enterprise security team scrambling to either undo the damage or ensure that their systems are not compromised. The explosion of malware and ransomware signifies the expansion of organized crime into the cyber realm. Why? Currency is now online and an extremely attractive target - money, bitcoins, financial information, etc. As a result, there is a new and rapidly growing "malware-as-a-service" market – making cybercrime a global problem for government, enterprises and individuals alike.
What is malware-as-a-service?
Bad actors that develop and steal sophisticated exploits and tools, such as those recently stolen from the NSA, do so to deliver a payload and achieve some objective. Two key factors play a part:
- Cybercrime organizations that have malicious interests (such as demanding a ransom, spying or stealing financial info), but do not have technical prowess to use hacking to do it.
- Individuals or groups who have the hacking know how to execute malware on a large scale.
The rising trend is collaboration between cybercriminals that have motive and provide the actions of the program or payload, with those who have technical capabilities to hack and deliver the software (sometimes called an “Exploit Kit” or malware-as-a-service). This has become rampant in Eastern Europe, Russia and other countries where laws against it are not well enforced.
For example, take the Black Hole Exploit kit that was released on "Malwox", an underground Russian hacking forum. The creators,"HodLuM" and "Paunch", were the first well know organization that put together software that could deliver whatever payload you wanted: ransom, steal money, spy. The exploit kit took care of delivery and propagation of malware so cybercriminals could just focus on developing the software to steal - and not have to worry about hacking/delivery. The perpetrators were eventually arrested.
More recently a new organization, the Shadow Brokers, leaked/stole some of the NSA’s most sophisticated technology and packaged it up as a service, so other bad actors could more easily deliver their software to achieve their goals. Last week’s WannaCry exploit that that crippled computers in at least 150 countries with its ransomware payload and is predicted to cost enterprises billions of dollars, is one of the most damaging malware-as-a-service examples to date.
How can an enterprise protect itself?
Work with a threat intelligence partner who is actively searching for what’s available on the dark web, as well as the latest feature set in exploit kits and malware-as-a-service to help determine vulnerabilities. Criminal organizations that produce and sell these to other criminals advertise their “service offering” on the dark web and are often transparent about what they have, so they appear cutting edge to potential buyers. This allows threat intelligence companies to gain some level of information to try and stay ahead of what is out there, and know what poses a threat.
- You need the right tools to stop the threat. If simply “knowing” about vulnerabilities were enough, companies wouldn’t find this so complicated. The threat can’t just be identified; it has to be stopped. Cybercriminals have increased velocity to deliver their payloads with the advent of malware-as-a-service, which increases the likelihood of breach. Malware, such as WannaCry, use tools from Shadow Brokers, which (in some cases) can use zero days, so they can’t always be stopped with detection tools.
In addition to keeping systems up-to-date, companies must adopt a proactive hunting posture because as velocity increases, so does the possibility that systems are already compromised and they just don’t know it. That’s why hunt solutions have become so critical: they look for stealthy compromises that made it through IT defenses. Identifying those payloads is a company’s last line of defense in order to have any chance for eradication.
Threat hunting tools like Infocyte HUNT can assist you with the hunt process to improve the speed and efficacy of your threat hunting program. It automates the search for threats and empowers your internal security teams to hunt without esoteric knowledge – so you can identify threats and get to the important task of incident response faster. And the faster you can identify a threat, the less harm it can do.
Ready to start hunting? Request a demo of Infocyte HUNT.