How does malware spread? Top 5 ways malware gets into your network
A successful malware attack can be highly disruptive to an organization’s day-to-day operations. And with hundreds of thousands of new malicious samples created every single day, it’s never been more important for businesses to be proactive when it comes to combating malware.
In this blog post, we’ll explore the most common ways that malware is distributed and provide you with actionable steps you can take today to protect your organization’s network.
1. Phishing
Phishing is a form of social engineering whereby attackers impersonate a reputable entity with the aim of deceiving the target into revealing sensitive information or installing malware. Phishing attacks are most commonly delivered via email (around 3.4 billion phishing emails are sent every single day!) but can also be distributed through text messages, social media apps and phone calls.
Phishing can take many forms. Commonly, an attacker might send an email that appears to come from a trusted source, such as a bank, government agency or major e-commerce store, requesting that the user click on a link or download an attachment. Clicking the link or opening the attachment triggers the download and execution of malware.
Target selection also varies greatly between phishing campaigns. With a traditional phishing attack, threat actors distribute phishing messages in bulk to thousands or even millions of people. Spear phishing is more selective, and involves targeting specific members of a particular organization to gain access to high-value data. Whaling attacks are more selective again, and are usually used to hone in on high-ranking individuals who have high-level access to sensitive information.
How to prevent phishing attacks
- Web filtering: Some cybersecurity solutions can help prevent phishing attacks by blocking access to websites that are known to be malicious. Emsisoft Anti-Malware, for example, maintains a massive database of malicious and dangerous hosts gathered from public lists, verified user submissions and a network of specialized intelligence organizations. The database is continually updated to ensure users are protected against the latest phishing threats. When a user attempts to access a malicious website, Emsisoft Anti-Malware blocks the connection to prevent data from being exchanged.
- Staff training: Phishing works by exploiting natural human tendencies, which makes staff education one of the most effective forms of mitigation. Staff across every level of the organization should be trained to recognize the potential signs of a phishing scam, such as typos, grammatical errors, misspelled URLs and unsolicited email attachments. Escalation processes should be documented and disseminated so that staff know who to report suspicious emails and phishing incidents to, which in turn can help IT teams better respond to threats and track phishing patterns. Because phishing techniques are continuously changing, training should be conducted regularly to ensure teams are familiar with the latest tactics.
- Email authentication: There are several email authentication protocols that businesses can use to verify the authenticity of emails, ensuring that they come from legitimate senders and have not been tampered with.
- Sender Policy Framework (SPF): Allows domain owners to specify which IP addresses are authorized to send emails on their behalf.
- DomainKeys Identified Mail (DKIM): Uses digital signatures to verify that an email message was sent by an authorized sender and has not been tampered with in transit.
- Domain-based Message Authentication, Reporting and Conformance (DMARC): Builds on SPF and DKIM to provide more robust email authentication. DMARC allows domain owners to specify how their emails should be handled if they fail SPF or DKIM checks.
2. Compromised credentials
Threat actors use a variety of methods to get their hands on login credentials. They might buy passwords on the dark web, or they might trick your users into giving away their passwords on phishing sites that look remarkably similar to the websites of reputable organizations. They might quietly install a keylogger on your system that automatically records keystrokes, or they might go the brute force route, using automated tools to attempt to log in to user accounts using every possible character combination until the password is cracked.
Once login credentials have been compromised, attackers can do more or less anything within the hacked account’s privileges. In some scenarios, threat actors may deploy malware immediately; in other cases, they may bide their time, escalating privileges, moving laterally within the network, and generally preparing the environment to maximize the impact of an attack.
How to keep credentials secure
- Two-factor authentication (2FA): 2FA adds an extra layer of security by requiring users to provide two forms of authentication to access their accounts. This typically includes a password and a code sent via text message or generated by an app. In the event that a staff member’s credentials are compromised, threat actors still won’t be able to access the account without the secondary form of authentication.
- Password managers: Keeping track of the countless usernames and passwords that comprise our digital lives is easier said than done. So, it’s not surprising that many people resort to using the same password for multiple accounts. The risk here is that if the login credentials of one account are compromised, threat actors may be able to easily access another account using the same credentials. Mitigate this risk by encouraging the use of a trusted password manager, which helps users securely store all their passwords in one safe space.
- Principle of least privilege: The principle of least privilege is a security concept that involves granting users the minimum level of access required to perform their job function. In other words, each user account should only have the necessary permissions and access to perform their specific tasks, and nothing more. This helps limit the impact of an incident; if a user’s login credentials are compromised, attackers will only have access to the systems and data that the user has permissions for.
3. Exploit kits
An exploit kit is a toolkit that threat actors use to detect and exploit known security vulnerabilities in client-side software, including the operating system, browser and other applications. Once the security flaw has been detected, the exploit kit automatically deploys targeted malware designed to take advantage of that particular flaw.
Threat actors commonly host exploit kits on compromised websites. When a user visits a website that has been compromised, the exploit kit scans the system for vulnerabilities and automatically attempts to exploit them to deliver malware to the system.
This is known as a drive-by download. Drive-by downloads are unique in that they don’t require a user-initiated action to spark the infection chain – simply visiting the compromised website is enough to become infected with malware!
How to avoid exploit kits
- Apply updates: Most exploit kits work by taking advantage of known security vulnerabilities – that is, vulnerabilities that have already been fixed! Keep your system secure by being proactive with patch management and always applying important security updates in a timely fashion. The longer you go without installing security updates, the more likely it is that you’ll fall victim to an exploit.
- Harden your system: Only install software that is needed for each individual’s job function. Audit your current software stack and remove any unnecessary applications, including superfluous browser extensions and system tools.
4. Compromised managed service providers
Managed service providers (MSPs) are attractive targets for cybercriminals because they’re responsible for remotely managing the IT infrastructure of multiple clients. By successfully compromising a single MSP, threat actors are often able to gain access to the networks of the MSP’s client base and use the MSP’s infrastructure – often remote monitoring and management (RMM) software – to deploy malware to multiple targets at once.
For MSPs, the potential impact of a compromise is enormous. MSPs must implement robust security measures to protect themselves and their clients, which might include implementing multi-factor authentication, monitoring for unusual activity, and conducting regular security audits and vulnerability scans. Additionally, MSPs should ensure that they have a strong incident response plan in place in case of a security breach.
How to mitigate malware delivered through MSPs
- Be selective: The software vendors you choose to work with can have a direct impact on the security of your business, the integrity of your data and the reputation of your business. So, be selective. When considering a prospective MSP, discuss your concerns. Ask about their credentials. Look at their track record. Do they have an incident response plan in place? Which frameworks or compliance structures do they align to? How often do they audit their security processes? Put it all in writing in your service agreements to ensure your suppliers maintain cybersecurity standards.
- Use 2FA on RMM software: While not infallible, 2FA is a simple and effective way to reduce the risk of a security breach via compromised RMM software.
5. Pirated software
Not only is the use of pirated software illegal, but it’s also a common source of malware. Threat actors often use pirated software as a vehicle for delivering a wide range of malware, including keyloggers, ransomware, trojans, backdoors, cryptojackers, adware and more.
In some cases, the software might actually work as advertised while quietly delivering the malicious payload in the background. In other scenarios, threat actors might create fake versions of popular software that serve no function other than to infect users with malware. Indeed, even legitimate software can sometimes be bundled with malware or potentially unwanted software!
How to avoid pirated software malware infections
- Avoid pirated software: It’s just not worth it. In addition to the risk of malware infections, pirated software usually doesn’t receive timely updates, which means you could well miss out on important security patches that could render your applications vulnerable to exploitation further down the track. There are so many freeware (or freemium) applications, games and software tools out there that it simply doesn’t make sense to still be meddling with pirated software.
- Don’t even browse: The websites that host pirated software are often riddled with ads that can redirect users to malicious websites or trick them into downloading and installing malware. Steer clear.
Takeaway
Threat actors use a variety of channels to distribute malware, including phishing attacks, compromised credentials, exploit kits, compromised MSPs and pirated software. It’s important to be aware of these attack vectors and take the necessary precautions to secure your network.
Emsisoft Endpoint Protection: Award-Winning Security Made Simple
Experience effortless next-gen technology. Start Free TrialSecure your network with Emsisoft Anti-Malware. Download your free trial today!